
Ask HN: Why are sites now breaking login forms into stages (name then password)? - microman
I&#x27;ve noticed this trend now where you are first asked for your username or email first, then the page reloads with the password box separately. This is really annoying if you use a password manager as you sometimes have to open it twice. Where has this come from? Is it safer?
======
red_admiral
Several large sites, including google/gmail and MS, do this so they can offer
separate corporate versions of their cloud products. When you enter your
username, it checks whether this is a consumer or corporate username, then the
password page you see actually comes from a completely different page.

Try going to login.microsoftonline.com which has both a username and a
password field and then type "alpha@bristol.ac.uk" into the username field and
TAB out (this is not a real username by the way). You'll be redirected to the
Bristol version of the sign-in page and get to see a nice picture of their
university tower.

On gmail, once you've entered your e-mail address, if it's from a computer it
recognises (some combination of cookies and IP address) then the password page
will show your avatar, if it's from an unknown computer it won't. I guess this
provides a very small signal that can be helpful in detecting phishing.

~~~
natdempk
The terminology you're looking for here regarding the differing logins for
different organizations is Single Sign-On (SSO) Providers. There are a bunch
of different methods of implementing SSO, and companies that offer this as a
service. Using the two-step login allows Microsoft, Google, etc. to redirect
users to authenticate with their associated SSO Provider based on their
username, or in this case email address domain, so that this login can be
shared across other services a company utilizes.

~~~
DelaneyM
SSO has nothing in particular to do with two-step login.

Two-step login is just a way of getting a branded experience in front of the
user as soon as possible, nothing more. It is neither necessary nor indicative
of SSO (which you have described correctly.)

~~~
rblatz
>Two-step login is just a way of getting a branded experience in front of the
user as soon as possible, nothing more. It is neither necessary nor indicative
of SSO (which you have described correctly.)

That might be part of it, but the real point is companies do not want others
to MITM their user's passwords.

------
zero_by_divide
The only justification I've ever seen was places gearing up for multi-factor
authentication. The front login page, asking for your account, tells the
backend how you're configured to login (token, password, biometric, whatever).
Then the second page is variable depending on your authentication method.

~~~
BrandonSmith
Some authenticate (Google comes to mind) allows for delegation to third party
scenarios. So, similarly, knowing the account is necessary to determine the
next step.

------
kylecordes
I'm really looking forward to an answer for us, if someone with deep and
relevant knowledge is around. There are a couple of possibilities that come to
mind:

1) Perhaps testing reveals that some users are pushed away by the complexity
of being confronted with two fields at the same time, and these users are more
likely to successfully login presented with only one field at a time.

2) Perhaps there is some actual good security reason for it.

3) Perhaps there is some bad security reason for it. First example, lots of
sites appear to express a belief that password managers are evil, and that
users must be forced by increasingly obstinate means to type each long
detailed robust password one single character at a time. Maybe this is simply
an extension of that somehow.

4) Perhaps a security standard somewhere was devised that for some reason
(good or bad) demanded this behavior; then it has been copied across the
industry ever since.

~~~
J_Darnley
> the complexity of [...] two fields

If that is true the world is doomed. Giant Meteor 2016

~~~
s_kilk
I... I mean... these fuckers can drive, right? They pilot tonne-weight
vehicles, at speed, amongst peers. And some of them are responsible for
running the power grid, the government, food production, a bunch of other
important stuff. They can hold a conversation with another sapient being, and
yet a form with two fields is supposedly too much for their minds to deal
with?

I don't buy it.

~~~
Splendor
No. Some users cannot drive.

~~~
s_kilk
My point is that these are intelligent beings, capable of doing all sorts of
amazing things.

We can't presume that our users are no more than slavering beasts, incapable
of understanding even the simplest things.

------
derekp7
I've seen this on some bank websites, that display a user-selected picture
after giving them your user ID. I guess that is so the user can verify that
they are talking to the legitimate site.

~~~
kondbg
I've never understood why this is seen as a form of verification. What is
stopping a phishing site from simply taking a victim's username and fetching
the victim's corresponding image from the bank's website via simple scraping?

~~~
bbcbasic
My bank asks a security question if logging in from an unknown computer before
offering the image or allowing entry of the password.

~~~
kondbg
This also provides zero additional security for the end user. Offering
security questions and/or images that a user selected does not prove that the
site is legitimate, since a phishing site can literally be a reverse proxy to
your bank's website that just logs all form values. You can accomplish this in
< 15 lines of nginx configuration.

Adding "verification images" or security questions that you set up does not
prove that a site is legitimate. A successfully established HTTPS connection
to the bank's domain is necessary and sufficient to guarantee authenticity
(and most banks use EV too, which browsers make extra obvious).

Users should be trained to look at the URL bar for the green EV indicator,
instead of being trained to believe that a site is legitimate simply because
it displays a picture that they select. Banks that encourage this behavior are
actively encouraging users to become even more gullible to well-crafted
phishing attacks.

~~~
bbcbasic
You are correct.

I consider it just one factor in authenticating the bank but I see your point
it could make people less aware or complacent of the EV etc.

------
RandomSort
Many sites have started using "magic links" where you can choose to either
receive an email with a link that will authenticate you or you can input the
password.

Both Netflix and Slack does this.

~~~
Guyag
Medium don't even offer a password version - it's social network OAuth or
this.

------
misterdata
Microsoft appears to do it as well with Office 365 and Azure (and related
services).

They appear to distinguish two types of accounts ('Live ID' type accounts for
personal use, and 'Work' accounts) and it is possible for a single e-mail
address to refer to both. When I enter my work email, I get to choose between
'use my work account' (which exists in Azure AD) and 'use my personal account'
(which some years ago I registered as Live ID), then get the password prompt.

Actually their implementation is a bit annoying, because the password field in
some cases is already visible before the choice between personal/work is
presented - as soon as you tab out of the username field, you get the choice
and you have to type your password afterwards.

------
wastedhours
Couple of potential reasons: 1) progressive disclosure, getting people
invested in filling out simple aspects of a form leads to increased
conversions (i.e. giving an email address is easy, whereas creating an account
is a different cognitive behavior, but a hypothesis is that it's easier to
convert once the user is in the flow). 2) following Google. If there's ever a
move to implement other authentication methods, then splitting it into that
flow makes sense (if there's not, then it doesn't...)

------
kevinastone
I'm guessing to support company single sign-on. They lookup the domain of your
email and then redirect to the correct SSO flow.

------
Nadya
I've yet to encounter this - do you have an example site? It seems.. wrong and
backwards.

~~~
allenbrunson
oddly enough, the very low-tech website for the company that holds my mortgage
does this. i can't imagine it's for any of the reasons people are speculating
about here. based on the presentation, i think it's purely to simplify the
interface. i guess it's less daunting to have to enter only one piece of
information at a time.

------
56k
I've seen it on a lot of websites.

It's better if you don't remember which email you used to signup, as it
validates it right away without you having to enter the password, so you can
make multiple attempts more quickly.

It somewhat looks better because after you've entered your email they can show
your profile picture.

On Chrome at least, autocomplete still works, so you don't have to enter your
password manually if you have it saved. I don't know if other browsers (or
even Chrome on certain websites) might get confused if username and passwords
aren't together.

It makes it seem easier to login. Having to fill 1 field twice feels better
than having to fill 2 fields once (in my opinion, at least).

------
tzs
Bank of America and Vanguard both used to do this, but within the last year
both switched to a single stage login, and both said they were switching to
single stage to improve security.

------
z1mm32m4n
The only place I've seen this done is Google.

For them it makes sense. Since a long time ago, they've had a feature where
you use your custom authentication service to sign in (think: on site Kerberos
instance).

For example at school the form would show both email and password fields, but
I would enter only my school email into the username and then it would
redirect me to to my school's centralized login.

So now instead of mistakenly showing the password field sometimes, they only
show it when necessary.

~~~
scandox
Tumblr does it

~~~
z1mm32m4n
I'm not saying there aren't others; I'm just giving perspective into why one
instance I know about.

------
yks
We use multiple identity providers for users to sign in to our website and we
have 2-stage login form to either redirect a user to the identity provider
their organization uses or to use our native login/password authentication.

As for Microsoft's login, authenticating users can belong to some Azure Active
Directory or Office 365 for Business etc., so Microsoft decides which backend
to authenticate users against.

------
seekingcharlie
Anecdotal, but we implemented this as we had a large number of existing users
who would sign up on our marketing site (when they were actually trying to
sign in).

We changed it so that they enter their email first, then we detect whether we
have that email in our db, and direct them to the appropriate next step
(either a sign up form as a new user, or a password field for an existing
user).

------
0xmohit
Atlassian HipChat.

[https://www.hipchat.com/sign_in](https://www.hipchat.com/sign_in)

------
citizens
I imagine it would make it harder for bots to brute-force login credentials.

------
csprague
I've seen it being used so that if the username/email isn't registered, it
will load the "Sign Up" process, but if it is, it will instead redirect to the
standard login.

------
_RPM
They're copying Google.

