I've noticed this trend now where you are first asked for your username or email first, then the page reloads with the password box separately. This is really annoying if you use a password manager as you sometimes have to open it twice. Where has this come from? Is it safer?
Several large sites, including google/gmail and MS, do this so they can offer separate corporate versions of their cloud products. When you enter your username, it checks whether this is a consumer or corporate username, then the password page you see actually comes from a completely different page.
Try going to login.microsoftonline.com which has both a username and a password field and then type "alpha@bristol.ac.uk" into the username field and TAB out (this is not a real username by the way). You'll be redirected to the Bristol version of the sign-in page and get to see a nice picture of their university tower.
On gmail, once you've entered your e-mail address, if it's from a computer it recognises (some combination of cookies and IP address) then the password page will show your avatar, if it's from an unknown computer it won't. I guess this provides a very small signal that can be helpful in detecting phishing.
The terminology you're looking for here regarding the differing logins for different organizations is Single Sign-On (SSO) Providers. There are a bunch of different methods of implementing SSO, and companies that offer this as a service. Using the two-step login allows Microsoft, Google, etc. to redirect users to authenticate with their associated SSO Provider based on their username, or in this case email address domain, so that this login can be shared across other services a company utilizes.
The only justification I've ever seen was places gearing up for multi-factor authentication.
The front login page, asking for your account, tells the backend how you're configured to login (token, password, biometric, whatever). Then the second page is variable depending on your authentication method.
Some authenticate (Google comes to mind) allows for delegation to third party scenarios. So, similarly, knowing the account is necessary to determine the next step.
I'm really looking forward to an answer for us, if someone with deep and relevant knowledge is around. There are a couple of possibilities that come to mind:
1) Perhaps testing reveals that some users are pushed away by the complexity of being confronted with two fields at the same time, and these users are more likely to successfully login presented with only one field at a time.
2) Perhaps there is some actual good security reason for it.
3) Perhaps there is some bad security reason for it. First example, lots of sites appear to express a belief that password managers are evil, and that users must be forced by increasingly obstinate means to type each long detailed robust password one single character at a time. Maybe this is simply an extension of that somehow.
4) Perhaps a security standard somewhere was devised that for some reason (good or bad) demanded this behavior; then it has been copied across the industry ever since.
#3! God it pisses me off so much that Google does this now. I have about 6 different Google accounts (one GApps for Ed, two personal, and three GApps for Business) and it's a pain since I use LastPass, and LP doesn't always get the user matched right. I have to select the right one twice!
I've seen this on some bank websites, that display a user-selected picture after giving them your user ID. I guess that is so the user can verify that they are talking to the legitimate site.
I've never understood why this is seen as a form of verification. What is stopping a phishing site from simply taking a victim's username and fetching the victim's corresponding image from the bank's website via simple scraping?
Many sites have started using "magic links" where you can choose to either receive an email with a link that will authenticate you or you can input the password.
Microsoft appears to do it as well with Office 365 and Azure (and related services).
They appear to distinguish two types of accounts ('Live ID' type accounts for personal use, and 'Work' accounts) and it is possible for a single e-mail address to refer to both. When I enter my work email, I get to choose between 'use my work account' (which exists in Azure AD) and 'use my personal account' (which some years ago I registered as Live ID), then get the password prompt.
Actually their implementation is a bit annoying, because the password field in some cases is already visible before the choice between personal/work is presented - as soon as you tab out of the username field, you get the choice and you have to type your password afterwards.
Couple of potential reasons: 1) progressive disclosure, getting people invested in filling out simple aspects of a form leads to increased conversions (i.e. giving an email address is easy, whereas creating an account is a different cognitive behavior, but a hypothesis is that it's easier to convert once the user is in the flow). 2) following Google. If there's ever a move to implement other authentication methods, then splitting it into that flow makes sense (if there's not, then it doesn't...)
oddly enough, the very low-tech website for the company that holds my mortgage does this. i can't imagine it's for any of the reasons people are speculating about here. based on the presentation, i think it's purely to simplify the interface. i guess it's less daunting to have to enter only one piece of information at a time.
It's better if you don't remember which email you used to signup, as it validates it right away without you having to enter the password, so you can make multiple attempts more quickly.
It somewhat looks better because after you've entered your email they can show your profile picture.
On Chrome at least, autocomplete still works, so you don't have to enter your password manually if you have it saved. I don't know if other browsers (or even Chrome on certain websites) might get confused if username and passwords aren't together.
It makes it seem easier to login. Having to fill 1 field twice feels better than having to fill 2 fields once (in my opinion, at least).
Bank of America and Vanguard both used to do this, but within the last year both switched to a single stage login, and both said they were switching to single stage to improve security.
For them it makes sense. Since a long time ago, they've had a feature where you use your custom authentication service to sign in (think: on site Kerberos instance).
For example at school the form would show both email and password fields, but I would enter only my school email into the username and then it would redirect me to to my school's centralized login.
So now instead of mistakenly showing the password field sometimes, they only show it when necessary.
We use multiple identity providers for users to sign in to our website and we have 2-stage login form to either redirect a user to the identity provider their organization uses or to use our native login/password authentication.
As for Microsoft's login, authenticating users can belong to some Azure Active Directory or Office 365 for Business etc., so Microsoft decides which backend to authenticate users against.
Anecdotal, but we implemented this as we had a large number of existing users who would sign up on our marketing site (when they were actually trying to sign in).
We changed it so that they enter their email first, then we detect whether we have that email in our db, and direct them to the appropriate next step (either a sign up form as a new user, or a password field for an existing user).
I've seen it being used so that if the username/email isn't registered, it will load the "Sign Up" process, but if it is, it will instead redirect to the standard login.
red_admiral|9 years ago
Try going to login.microsoftonline.com which has both a username and a password field and then type "alpha@bristol.ac.uk" into the username field and TAB out (this is not a real username by the way). You'll be redirected to the Bristol version of the sign-in page and get to see a nice picture of their university tower.
On gmail, once you've entered your e-mail address, if it's from a computer it recognises (some combination of cookies and IP address) then the password page will show your avatar, if it's from an unknown computer it won't. I guess this provides a very small signal that can be helpful in detecting phishing.
natdempk|9 years ago
zero_by_divide|9 years ago
BrandonSmith|9 years ago
ktta|9 years ago
kylecordes|9 years ago
1) Perhaps testing reveals that some users are pushed away by the complexity of being confronted with two fields at the same time, and these users are more likely to successfully login presented with only one field at a time.
2) Perhaps there is some actual good security reason for it.
3) Perhaps there is some bad security reason for it. First example, lots of sites appear to express a belief that password managers are evil, and that users must be forced by increasingly obstinate means to type each long detailed robust password one single character at a time. Maybe this is simply an extension of that somehow.
4) Perhaps a security standard somewhere was devised that for some reason (good or bad) demanded this behavior; then it has been copied across the industry ever since.
ajford|9 years ago
J_Darnley|9 years ago
If that is true the world is doomed. Giant Meteor 2016
derekp7|9 years ago
kondbg|9 years ago
RandomSort|9 years ago
Both Netflix and Slack does this.
Guyag|9 years ago
misterdata|9 years ago
They appear to distinguish two types of accounts ('Live ID' type accounts for personal use, and 'Work' accounts) and it is possible for a single e-mail address to refer to both. When I enter my work email, I get to choose between 'use my work account' (which exists in Azure AD) and 'use my personal account' (which some years ago I registered as Live ID), then get the password prompt.
Actually their implementation is a bit annoying, because the password field in some cases is already visible before the choice between personal/work is presented - as soon as you tab out of the username field, you get the choice and you have to type your password afterwards.
wastedhours|9 years ago
kevinastone|9 years ago
Nadya|9 years ago
allenbrunson|9 years ago
scandox|9 years ago
jogjayr|9 years ago
codegeek|9 years ago
microman|9 years ago
56k|9 years ago
It's better if you don't remember which email you used to signup, as it validates it right away without you having to enter the password, so you can make multiple attempts more quickly.
It somewhat looks better because after you've entered your email they can show your profile picture.
On Chrome at least, autocomplete still works, so you don't have to enter your password manually if you have it saved. I don't know if other browsers (or even Chrome on certain websites) might get confused if username and passwords aren't together.
It makes it seem easier to login. Having to fill 1 field twice feels better than having to fill 2 fields once (in my opinion, at least).
tzs|9 years ago
z1mm32m4n|9 years ago
For them it makes sense. Since a long time ago, they've had a feature where you use your custom authentication service to sign in (think: on site Kerberos instance).
For example at school the form would show both email and password fields, but I would enter only my school email into the username and then it would redirect me to to my school's centralized login.
So now instead of mistakenly showing the password field sometimes, they only show it when necessary.
desigooner|9 years ago
scandox|9 years ago
yks|9 years ago
As for Microsoft's login, authenticating users can belong to some Azure Active Directory or Office 365 for Business etc., so Microsoft decides which backend to authenticate users against.
seekingcharlie|9 years ago
We changed it so that they enter their email first, then we detect whether we have that email in our db, and direct them to the appropriate next step (either a sign up form as a new user, or a password field for an existing user).
0xmohit|9 years ago
https://www.hipchat.com/sign_in
citizens|9 years ago
csprague|9 years ago
_RPM|9 years ago