Why do websites ask for login and password in two different screens now?
Discussion
Counter bots
idk but i hate it, have to auto-fill twice
Don't know if it has security reasons. But it is annoying as F!
I think they want the opportunity to give you a captcha before even allow you to submit a password
🏆
They get paid per screen, obviously... /s
counter screen-peeping-toms
The most common reason to put username and password on two different pages is to support both:
1. single-sign on (SSO) (i.e. sign in with Google or a service like Okta)
2. username/password login
However, this login flow confuses people which is probably why you're reading this! Websites usually present a username and password field in the same view for us to log in. So you're not alone if you've ever wondered why the password field is missing or on another page.
Source: https://www.twilio.com/blog/why-username-and-password-on-two-different-pages
Many sites offer login methods beyond just a simple username/password basic auth. I think the most common use case SSO login. Lets say company X pays for access to a tool at Site Y. Company X can set up their SSO provider to allow logins from Site Y. Site Y needs to redirect all logins from @companyx.com to Company X's login page. That redirect should happen after the username/email is entered, thus password field is not shown.
2FA… only kidding…
With QBlock, no more, it will be DiD as user own, control and monetize his/her profile data and can access the internet at any website. Not only that, the user will charge any company (Apple, Google, Facebook, Microsoft) if they request an access to the user profile!
It's so anoying, it confuse Keepass/Bitwarden and make it much longer to login.
As far as I know, it is to support SSO
I hate it… sometimes it breaks my password manager’s ability to pick up on the fact that it’s a login screen
It’s worse on mobile
Yeah luckily keepassxc has custom key inputs so you can user enter wait pass enter most logins will work.
It has to be some kind of bureaucrat-mandated, faux-security concept like making people periodically rotate passwords to ensure they will write them down on a post-it stuck to their monitor.
Compatibility with Single Sign-On (SSO) systems.
And somethimes it is also an anti-bot security measure.
I read somewhere that it's a security measure. If the username/email is not found in the database, they don't have to show the password field to a potential attacker.
I think that's an anti pattern, you want to give as little information as possible. Meaning if the user does not exist, you want to make them believe it does.
Because they should be doing something other than app development. I'm sure they'll be happy to add to a third page if someone wispers its good for the climate.