Ask HN: Why are sites now breaking login forms into stages (name then password)?
I've noticed this trend now where you are first asked for your username or email first, then the page reloads with the password box separately. This is really annoying if you use a password manager as you sometimes have to open it twice. Where has this come from? Is it safer?
50 comments
[ 4.6 ms ] story [ 88.3 ms ] thread1) Perhaps testing reveals that some users are pushed away by the complexity of being confronted with two fields at the same time, and these users are more likely to successfully login presented with only one field at a time.
2) Perhaps there is some actual good security reason for it.
3) Perhaps there is some bad security reason for it. First example, lots of sites appear to express a belief that password managers are evil, and that users must be forced by increasingly obstinate means to type each long detailed robust password one single character at a time. Maybe this is simply an extension of that somehow.
4) Perhaps a security standard somewhere was devised that for some reason (good or bad) demanded this behavior; then it has been copied across the industry ever since.
If that is true the world is doomed. Giant Meteor 2016
I don't buy it.
We can't presume that our users are no more than slavering beasts, incapable of understanding even the simplest things.
Also, if asking one question at a time adds a % or two to the user base of something as big as Google, then that's a lot of new users.
I can't seem to grasp the concept, or what makes it more secure to have one password for all your passwords and/or to store all your login credentials on someone else's computer.
I use 1Password, though, so I'm not storing my passwords on someone else's computer in the same way LastPass does.
The ease with which password hashes are cracked advances steadily, and I wish more sites would let me supply them with 80+-character passwords.
Both Netflix and Slack does this.
They appear to distinguish two types of accounts ('Live ID' type accounts for personal use, and 'Work' accounts) and it is possible for a single e-mail address to refer to both. When I enter my work email, I get to choose between 'use my work account' (which exists in Azure AD) and 'use my personal account' (which some years ago I registered as Live ID), then get the password prompt.
Actually their implementation is a bit annoying, because the password field in some cases is already visible before the choice between personal/work is presented - as soon as you tab out of the username field, you get the choice and you have to type your password afterwards.
Adding "verification images" or security questions that you set up does not prove that a site is legitimate. A successfully established HTTPS connection to the bank's domain is necessary and sufficient to guarantee authenticity (and most banks use EV too, which browsers make extra obvious).
Users should be trained to look at the URL bar for the green EV indicator, instead of being trained to believe that a site is legitimate simply because it displays a picture that they select. Banks that encourage this behavior are actively encouraging users to become even more gullible to well-crafted phishing attacks.
I consider it just one factor in authenticating the bank but I see your point it could make people less aware or complacent of the EV etc.
Took a few weeks to figure out why I kept getting locked out. Turns out the username "checking" is a pretty popular guess.
For them it makes sense. Since a long time ago, they've had a feature where you use your custom authentication service to sign in (think: on site Kerberos instance).
For example at school the form would show both email and password fields, but I would enter only my school email into the username and then it would redirect me to to my school's centralized login.
So now instead of mistakenly showing the password field sometimes, they only show it when necessary.
Try going to login.microsoftonline.com which has both a username and a password field and then type "alpha@bristol.ac.uk" into the username field and TAB out (this is not a real username by the way). You'll be redirected to the Bristol version of the sign-in page and get to see a nice picture of their university tower.
On gmail, once you've entered your e-mail address, if it's from a computer it recognises (some combination of cookies and IP address) then the password page will show your avatar, if it's from an unknown computer it won't. I guess this provides a very small signal that can be helpful in detecting phishing.
Two-step login is just a way of getting a branded experience in front of the user as soon as possible, nothing more. It is neither necessary nor indicative of SSO (which you have described correctly.)
That might be part of it, but the real point is companies do not want others to MITM their user's passwords.
It's better if you don't remember which email you used to signup, as it validates it right away without you having to enter the password, so you can make multiple attempts more quickly.
It somewhat looks better because after you've entered your email they can show your profile picture.
On Chrome at least, autocomplete still works, so you don't have to enter your password manually if you have it saved. I don't know if other browsers (or even Chrome on certain websites) might get confused if username and passwords aren't together.
It makes it seem easier to login. Having to fill 1 field twice feels better than having to fill 2 fields once (in my opinion, at least).
https://www.hipchat.com/sign_in
As for Microsoft's login, authenticating users can belong to some Azure Active Directory or Office 365 for Business etc., so Microsoft decides which backend to authenticate users against.
We changed it so that they enter their email first, then we detect whether we have that email in our db, and direct them to the appropriate next step (either a sign up form as a new user, or a password field for an existing user).