Ask HN: Why do we now show username/password fields on separate screens?
Some time in the last year or two, it has become fashionable to have login flows consist of two individual views: one view where you enter your username/email, and another view for your password.
Why the sudden divergence from rendering these within the same form in the same view? Why the extra click? It’s also annoying from the perspective of password managers when not done properly. Single sign on. Users accessing online services, for example AWS console, from within the corporate environment, may not use passwords. Identity is federated from whatever corporarate directory service the org uses. Those who are saying SSO should take note that it’s not really necessary to use this pattern for SSO. For example, Microsoft uses the pattern that they will redirect you as soon as your email looks like an SSO email. This has the benefit of allowing a user to enter their password before their username (not doing so being a major pet peeve of mine when copying a password from a password manager). Microsoft SSO is a shit show. You login and it says wait logging you off. Then you have to try again. Is that a direct consequence of using a different UI pattern though, or just incidental? Twilio did explain this in their blog post https://www.twilio.com/blog/why-username-and-password-on-two... I get the answers, but why not cache the password in the browser for the duration of the redirect? edit: ah I see, sometimes cross domain, that would make the handover potentially dangerous. I thought of just keeping it in js. While we're on this topic, why have some sites started refusing to prompt me for my password and instead are sending codes to my email. slack.com is a great example. It's like 2FA without the first factor. It’s because the average person has so many passwords in various formats that they forget. But that person most likely has access to their email.
Instead of taking the user on a password reset journey, just shortcut to login.
The attack vector is restricted to email no matter what. I suspected that was the case, but I really wish they'd give me an option. I’ve answered this previously here. https://news.ycombinator.com/item?id=24238783 In a nutshell it’s to handle federated identities. This has been brought up before and the answer was for enterprise customers. It allows other ways to login based on your account. It's for enterprise (and other) customers with SSO. No all sites require two steps for this, though. HackerRank lets you leave the password field empty, and based on whether you have SSO enabled it either redirects to that or returns an error. why not using only the password?