Ask HN: Why are sites now breaking login forms into stages (name then password)?
I've noticed this trend now where you are first asked for your username or email first, then the page reloads with the password box separately. This is really annoying if you use a password manager as you sometimes have to open it twice. Where has this come from? Is it safer? Several large sites, including google/gmail and MS, do this so they can offer separate corporate versions of their cloud products. When you enter your username, it checks whether this is a consumer or corporate username, then the password page you see actually comes from a completely different page. Try going to login.microsoftonline.com which has both a username and a password field and then type "alpha@bristol.ac.uk" into the username field and TAB out (this is not a real username by the way). You'll be redirected to the Bristol version of the sign-in page and get to see a nice picture of their university tower. On gmail, once you've entered your e-mail address, if it's from a computer it recognises (some combination of cookies and IP address) then the password page will show your avatar, if it's from an unknown computer it won't. I guess this provides a very small signal that can be helpful in detecting phishing. The terminology you're looking for here regarding the differing logins for different organizations is Single Sign-On (SSO) Providers. There are a bunch of different methods of implementing SSO, and companies that offer this as a service. Using the two-step login allows Microsoft, Google, etc. to redirect users to authenticate with their associated SSO Provider based on their username, or in this case email address domain, so that this login can be shared across other services a company utilizes. SSO has nothing in particular to do with two-step login. Two-step login is just a way of getting a branded experience in front of the user as soon as possible, nothing more. It is neither necessary nor indicative of SSO (which you have described correctly.) >Two-step login is just a way of getting a branded experience in front of the user as soon as possible, nothing more. It is neither necessary nor indicative of SSO (which you have described correctly.) That might be part of it, but the real point is companies do not want others to MITM their user's passwords. The custom Microsoft login for the university example cited is an implementation of SSO The only justification I've ever seen was places gearing up for multi-factor authentication.
The front login page, asking for your account, tells the backend how you're configured to login (token, password, biometric, whatever). Then the second page is variable depending on your authentication method. Some authenticate (Google comes to mind) allows for delegation to third party scenarios. So, similarly, knowing the account is necessary to determine the next step. Is that the only real reason? blockchain.info immediately pops up a 2FA input bar depending on the previous inputs, not a second page. I'm really looking forward to an answer for us, if someone with deep and relevant knowledge is around. There are a couple of possibilities that come to mind: 1) Perhaps testing reveals that some users are pushed away by the complexity of being confronted with two fields at the same time, and these users are more likely to successfully login presented with only one field at a time. 2) Perhaps there is some actual good security reason for it. 3) Perhaps there is some bad security reason for it. First example, lots of sites appear to express a belief that password managers are evil, and that users must be forced by increasingly obstinate means to type each long detailed robust password one single character at a time. Maybe this is simply an extension of that somehow. 4) Perhaps a security standard somewhere was devised that for some reason (good or bad) demanded this behavior; then it has been copied across the industry ever since. #3! God it pisses me off so much that Google does this now. I have about 6 different Google accounts (one GApps for Ed, two personal, and three GApps for Business) and it's a pain since I use LastPass, and LP doesn't always get the user matched right. I have to select the right one twice! Could you explain how "password managers" are a good idea? I can't seem to grasp the concept, or what makes it more secure to have one password for all your passwords and/or to store all your login credentials on someone else's computer. Easy: I currently have 619 unique passwords, all but two auto-generated and difficult to memorize (because they tend to be 40+ characters and as random as practical). I've had at least four websites on which I've had an account experience publicly-known hash leaks, and in zero of those cases, nor any future cases, is my password hash likely to be easily cracked, and in the unlikely event that it is, the combination or username/email + that password doesn't work anywhere else, so it's of little to no value. I use 1Password, though, so I'm not storing my passwords on someone else's computer in the same way LastPass does. The ease with which password hashes are cracked advances steadily, and I wish more sites would let me supply them with 80+-character passwords. > the complexity of [...] two fields If that is true the world is doomed. Giant Meteor 2016 I... I mean... these fuckers can drive, right? They pilot tonne-weight vehicles, at speed, amongst peers. And some of them are responsible for running the power grid, the government, food production, a bunch of other important stuff. They can hold a conversation with another sapient being, and yet a form with two fields is supposedly too much for their minds to deal with? I don't buy it. A 1% conversion rate increase for some companies is worth millions. No. Some users cannot drive. My point is that these are intelligent beings, capable of doing all sorts of amazing things. We can't presume that our users are no more than slavering beasts, incapable of understanding even the simplest things. Not all people are visual thinkers or have large visual bandwidth. Also, if asking one question at a time adds a % or two to the user base of something as big as Google, then that's a lot of new users. I've seen this on some bank websites, that display a user-selected picture after giving them your user ID. I guess that is so the user can verify that they are talking to the legitimate site. I've never understood why this is seen as a form of verification. What is stopping a phishing site from simply taking a victim's username and fetching the victim's corresponding image from the bank's website via simple scraping? My bank asks a security question if logging in from an unknown computer before offering the image or allowing entry of the password. This also provides zero additional security for the end user. Offering security questions and/or images that a user selected does not prove that the site is legitimate, since a phishing site can literally be a reverse proxy to your bank's website that just logs all form values. You can accomplish this in < 15 lines of nginx configuration. Adding "verification images" or security questions that you set up does not prove that a site is legitimate. A successfully established HTTPS connection to the bank's domain is necessary and sufficient to guarantee authenticity (and most banks use EV too, which browsers make extra obvious). Users should be trained to look at the URL bar for the green EV indicator, instead of being trained to believe that a site is legitimate simply because it displays a picture that they select. Banks that encourage this behavior are actively encouraging users to become even more gullible to well-crafted phishing attacks. You are correct. I consider it just one factor in authenticating the bank but I see your point it could make people less aware or complacent of the EV etc. Have you played "What's Your Porn Name?" You combine your first pet's name and your mother's maiden name... I believe it is there so that you don't accidentally lock someone else out of their account if you enter in your username incorrectly (which I have done!) I had an account with ING Direct and when I created it they asked me what I would like to name it, so I simply entered "checking". Little did I know that you could also use that name as your login name (I always logged in using my account #, I thought the account name was just for display). Took a few weeks to figure out why I kept getting locked out. Turns out the username "checking" is a pretty popular guess. That's probably why many of my bank/credit logins present that option anymore. Most of mine have moved back to the single-form style of login. Many sites have started using "magic links" where you can choose to either receive an email with a link that will authenticate you or you can input the password. Both Netflix and Slack does this. Medium don't even offer a password version - it's social network OAuth or this. Microsoft appears to do it as well with Office 365 and Azure (and related services). They appear to distinguish two types of accounts ('Live ID' type accounts for personal use, and 'Work' accounts) and it is possible for a single e-mail address to refer to both. When I enter my work email, I get to choose between 'use my work account' (which exists in Azure AD) and 'use my personal account' (which some years ago I registered as Live ID), then get the password prompt. Actually their implementation is a bit annoying, because the password field in some cases is already visible before the choice between personal/work is presented - as soon as you tab out of the username field, you get the choice and you have to type your password afterwards. Couple of potential reasons: 1) progressive disclosure, getting people invested in filling out simple aspects of a form leads to increased conversions (i.e. giving an email address is easy, whereas creating an account is a different cognitive behavior, but a hypothesis is that it's easier to convert once the user is in the flow). 2) following Google. If there's ever a move to implement other authentication methods, then splitting it into that flow makes sense (if there's not, then it doesn't...) I'm guessing to support company single sign-on. They lookup the domain of your email and then redirect to the correct SSO flow. I've yet to encounter this - do you have an example site? It seems.. wrong and backwards. oddly enough, the very low-tech website for the company that holds my mortgage does this. i can't imagine it's for any of the reasons people are speculating about here. based on the presentation, i think it's purely to simplify the interface. i guess it's less daunting to have to enter only one piece of information at a time. Tumblr Personal capital google, capital one 360 Pivotal Tracker I've seen it on a lot of websites. It's better if you don't remember which email you used to signup, as it validates it right away without you having to enter the password, so you can make multiple attempts more quickly. It somewhat looks better because after you've entered your email they can show your profile picture. On Chrome at least, autocomplete still works, so you don't have to enter your password manually if you have it saved. I don't know if other browsers (or even Chrome on certain websites) might get confused if username and passwords aren't together. It makes it seem easier to login. Having to fill 1 field twice feels better than having to fill 2 fields once (in my opinion, at least). Bank of America and Vanguard both used to do this, but within the last year both switched to a single stage login, and both said they were switching to single stage to improve security. The only place I've seen this done is Google. For them it makes sense. Since a long time ago, they've had a feature where you use your custom authentication service to sign in (think: on site Kerberos instance). For example at school the form would show both email and password fields, but I would enter only my school email into the username and then it would redirect me to to my school's centralized login. So now instead of mistakenly showing the password field sometimes, they only show it when necessary. IIRC, Paychex & Bonobos have a 2 page login Tumblr does it I'm not saying there aren't others; I'm just giving perspective into why one instance I know about. We use multiple identity providers for users to sign in to our website and we have 2-stage login form to either redirect a user to the identity provider their organization uses or to use our native login/password authentication. As for Microsoft's login, authenticating users can belong to some Azure Active Directory or Office 365 for Business etc., so Microsoft decides which backend to authenticate users against. Anecdotal, but we implemented this as we had a large number of existing users who would sign up on our marketing site (when they were actually trying to sign in). We changed it so that they enter their email first, then we detect whether we have that email in our db, and direct them to the appropriate next step (either a sign up form as a new user, or a password field for an existing user). Atlassian HipChat. I imagine it would make it harder for bots to brute-force login credentials. I've seen it being used so that if the username/email isn't registered, it will load the "Sign Up" process, but if it is, it will instead redirect to the standard login. They're copying Google.