Paul DwerryhousePossibly the most annoying UI trend of the last few years is websites changing from
[username] - [ password ] -> Login
to
[username] -> Next -> [ password ] -> Login
varx/tech@pdwerryhouse I think, although I am not sure, that this separation of username and password onto two screens is driven by heavy adoption of third-party authentication. Before they can ask for your password, they need to find out if you're actually going to be signing in via OAuth or something else instead.
(Well, that's one reason at least. I'm pretty sure banks started doing this about 10 years ago just to be ornery.)
Mathias@varx @pdwerryhouse Yes. E.g., if you are logging in at Microsoft, your password is sent to your organisation's AD depending on the domain used in the username.
Stéphan Kochen@matthegap @varx @pdwerryhouse That sounds wrong. Doesn't that mean you can immediately see, without password, if someone has an account on the system? (And even which auth method they use!)
I guess it could be safe if the username format alone implied which auth method to use. (As in, no database access happens.)
@kosinus @varx @pdwerryhouse No, they are only checking if the domain is known to Mirosoft, not if the username exists.
Schrank 
🐘@matthegap @kosinus @varx @pdwerryhouse and why is this not possible in one screen? Or is it an iframe to send the password to the other server?
@Schrank @kosinus @varx @pdwerryhouse Not sure if there are actual technical reasons for it.
It is definitely a UI thing. As soon as you confirm the e-mail address, you get a custom background (e.g., your company logo) for the password dialog.
It is definitely a UI thing. As soon as you confirm the e-mail address, you get a custom background (e.g., your company logo) for the password dialog.
Johann Uhrmann@Schrank @matthegap @kosinus @varx @pdwerryhouse in single-sign-on scenarios this is not possible, because basically the service redirects to an identity provider saying "this guy claims to be John Doe, please check that for me".
The identity provider then does some kind of authentication and redirects back to the service provider saying "here is my signed statement that this guy is indeed John Doe".
The identity provider then does some kind of authentication and redirects back to the service provider saying "here is my signed statement that this guy is indeed John Doe".