Robin
Paul DwerryhousePossibly the most annoying UI trend of the last few years is websites changing from
[username] - [ password ] -> Login
to
[username] -> Next -> [ password ] -> Login
varx/tech@pdwerryhouse I think, although I am not sure, that this separation of username and password onto two screens is driven by heavy adoption of third-party authentication. Before they can ask for your password, they need to find out if you're actually going to be signing in via OAuth or something else instead.
(Well, that's one reason at least. I'm pretty sure banks started doing this about 10 years ago just to be ornery.)
mjt@varx @pdwerryhouse This separation is a prelude to the implementation of passkeys, a standards-based replacement for/improvements over passwords.
@mjt @pdwerryhouse It long predates the development of passkeys, though.
@varx @pdwerryhouse Yep. This has been coming for a year at least.
mathew@varx @mjt @pdwerryhouse Pretty sure you don’t need two step login to support passkeys. Passkeys use public key crypto precisely so you don’t have to direct the user to some other trusted party to authenticate or worry about grabbing the wrong password.
Go try it out, if you have a capable device, at passkeys.io
It makes a lot of sense once you start using it…and you can use it today with Apple devices running the latest OS. You can use a passkey fer realz at Bestbuy.com or Kayak.
Mathias@varx @pdwerryhouse Yes. E.g., if you are logging in at Microsoft, your password is sent to your organisation's AD depending on the domain used in the username.
@matthegap @pdwerryhouse Oh man, I just saw that for the first time recently. So sketchy! All this training to never enter your password on a site other than the one it was registered with, and Microsoft just ambles up and says "hey, we'll log in for you, don't worry about it".
Sören@varx @matthegap @pdwerryhouse it’s the opposite. It’s so that when your own org handles auth, Microsoft *doesn’t* get your credentials
@chucker @matthegap @pdwerryhouse Not what I'm seeing!
To demonstrate, here's what I see if I go to edx.org and try logging in via Microsoft. I've entered a real 2u.com email address (not mine) to show what the password entry screen looks like.
It's asking me to enter the password that was set in the OneLogin system, not the one that was set in the Microsoft system. I'm not sure whether there's some kind of Active Directory style password sync going on or Microsoft's login server is going to relay the password to OneLogin, but either way it's an example of a website asking you to enter a password that is for a different origin.
@chucker @matthegap @pdwerryhouse Certainly it is true that on *most* sites, this would instead be a redirect involving SAML or a similar flow, but in this one it just straight-up asks for the password on the second screen.
Stéphan Kochen@matthegap @varx @pdwerryhouse That sounds wrong. Doesn't that mean you can immediately see, without password, if someone has an account on the system? (And even which auth method they use!)
I guess it could be safe if the username format alone implied which auth method to use. (As in, no database access happens.)
@kosinus @varx @pdwerryhouse No, they are only checking if the domain is known to Mirosoft, not if the username exists.
Schrank 
🐘@matthegap @kosinus @varx @pdwerryhouse and why is this not possible in one screen? Or is it an iframe to send the password to the other server?
@Schrank @kosinus @varx @pdwerryhouse Not sure if there are actual technical reasons for it.
It is definitely a UI thing. As soon as you confirm the e-mail address, you get a custom background (e.g., your company logo) for the password dialog.
It is definitely a UI thing. As soon as you confirm the e-mail address, you get a custom background (e.g., your company logo) for the password dialog.
Johann Uhrmann@Schrank @matthegap @kosinus @varx @pdwerryhouse in single-sign-on scenarios this is not possible, because basically the service redirects to an identity provider saying "this guy claims to be John Doe, please check that for me".
The identity provider then does some kind of authentication and redirects back to the service provider saying "here is my signed statement that this guy is indeed John Doe".
The identity provider then does some kind of authentication and redirects back to the service provider saying "here is my signed statement that this guy is indeed John Doe".
ngoomie is moving!@varx @pdwerryhouse my bank thankfully still has username + password on the same page
on the website, anyways. dunno about the app, my actual phone is a flip phone and i have an old smartphone set aside for games only, so i've never really used the app
on the website, anyways. dunno about the app, my actual phone is a flip phone and i have an old smartphone set aside for games only, so i've never really used the app
ReverendRef@nu @varx @pdwerryhouse A flip phone?? You are my people! I had to get rid of mine a few years ago, but man do I miss its size, how easy it was to hold against my ear, and the FOREVER battery life. **sigh**
@reverendref @nu @pdwerryhouse I still only have a flip phone! The options keep getting worse, though; each new one that I've ad to get as 2G and then 3G were retired has been worse than its predecessor to an astonishing degree.
I'm probably going to have to get one of those old-people phones next, the kind with an optional "I've fallen and can't get up" service, because even with the drastically reduced feature set they'll probably at least work. (Never buying a ZTE product again...)
M4tlink ✅@varx @pdwerryhouse often this is due to risk-based authentication, as Google does
Simon Wheatley@varx @pdwerryhouse Yep, I agree. And as long as they still support password managers easily I’m fine with it.
Justin Fitzsimmons@varx @pdwerryhouse as somone who has had to implement something like this, yes, it's because of SSO. We can't tell what type of authentication needs to be done until the user enters the domain of their email address. I did work on one implementation where we showed the password field by default but hid it with javascript as soon as we detected a non-sso domain, but that has security and usability implications to it as well. 🤷♂️
Neven Mrgan@pdwerryhouse Also it annoys me to an irrationally high degree to see the words "Continue with email" in tiny print below a bunch of megacorp logos
Christophe Lamperti@neven @pdwerryhouse to be fair, there is a convenience element in using big identity providers. It’s also safer than reusing passwords, but both arguments disappear if you use a password manager.
Ralph J.Mayer@lamperti @neven @pdwerryhouse say that again once big corp locks your account for $reason and you are unable to log in to all the other accounts depending on that login
Kartik Agaram@pdwerryhouse And then there's all the A/B tests. Type in your username, no your email, no your phone number. Then type in your password, ha sorry just kidding, go check your email for a "magic link". (That's Doordash.)
For the last 2 years, Facebook consistently refuses my first login attempt. A retry succeeds -- and ignores my original link and takes me to my feed. I have no interest in my feed; if I hit <back> after the first login failure and resubmit I get to my desired destination.
Peter J. Kootsookos@akkartik @pdwerryhouse yes, the failure of deep-linking through authentication sucks.
PacoBell@pdwerryhouse /me side-eyes Microsoft Azure login with a burning hatred.
Matthias Liffers@pdwerryhouse Been having this frustration while logging into sites to change my 2FA app.
@pdwerryhouse And obfuscating 2FA codes when you type them in can get into the bin as well.
Sam Sneddon 🏳️⚧️@pdwerryhouse especially when it breaks autofill of passwords
ϻค𝔬ᑭ@pdwerryhouse
Also the:
[𝗟𝗢𝗚𝗜𝗡 𝗪𝗜𝗧𝗛 𝗚𝗢𝗢𝗚𝗟𝗘]
[𝗟𝗢𝗚𝗜𝗡 𝗪𝗜𝗧𝗛 𝗙𝗔𝗖𝗘𝗕𝗢𝗢𝗞]
[𝗟𝗢𝗚𝗜𝗡 𝗪𝗜𝗧𝗛 𝗧𝗪𝗜𝗧𝗧𝗘𝗥]
ᴸᵒᵍⁱⁿ ʷⁱᵗʰ ʸᵒᵘʳ ᵉᵐᵃⁱˡ
@maop Yep, that's really annoying.
Sophie 
@pdwerryhouse oh gosh I hate this so much. (Particularly as my work email address is long, and I’m only typing it so the website can then redirect me to my work IdP)
Synthomat@pdwerryhouse annoying but technically necessary? Fortunately the password managers can handle the flow correctly most of the times
prsn@synth @pdwerryhouse In most cases, it's a design decision, not a technical requirement.
James Henstridge@pdwerryhouse If they're doing it to merge the login and sign-up workflows, then I don't mind it so much.
Really not a fan of websites with large "sign up" buttons and tiny "log in" buttons, where the resulting forms look almost identical.
DopeGhoti@pdwerryhouse
I'd like to see passwords dispensed with entirely anyhow. Bring on TOTPs paired with client certificate stores.
I'd like to see passwords dispensed with entirely anyhow. Bring on TOTPs paired with client certificate stores.
decibyte@pdwerryhouse if you're even able to find the login form, because the link is hidden behind a giant SIGN UP button.
Max Leibman has moved!@decibyte @pdwerryhouse I hate this pattern. When there’s a giant, obvious SIGN UP button and a tiny camouflaged “sign in” link, I feel like the dim web designer who made it expects me to create a new account every time I visit.
halcy 
@pdwerryhouse I think some places do that because they need to send people do a different login for when it's like, an institutional login but also why not have a separate form for that instead of making Every Single Person go through that, or have a password field anyways and idk, dynamically hide it if someone types in a username or mail that would go to that, or for gods sake just do anything beyond the least effort approach :|
mk@pdwerryhouse
In most cases my defined KeepassXC phrase, to insert the credential data in right way, works also with such kind of login pages. 🤞
But I would prefer also the "classic" format.
Sascha Pallenberg 🇹🇼 ♻️ ⚡
truekonrads@pdwerryhouse @mainframed767 it has to do with SSO / multiple IdP and also user experience when they don’t know what email they have signed up
Gollum@pdwerryhouse look at apples icloud.com, you cant use keepassxc for auto fill in your passcode because of that
MTRNord (they/them)@pdwerryhouse especially when it breaks keepassxc by doing this
@pdwerryhouse assuming the original intent is to allow users to confirm that their username exists, it not only makes the experience slower for everyone (including those who do remember their username or have a password manager), it is also a security risk. Slack used to let you see your workspaces after entering your email, which resulted in people knowing Satya Nadella used Slack for various projects.
Gordon Meyer@pdwerryhouse I complained to Synology about this (on my own LAN-restricted box, no less) and received a surly response that it “improved security.” LOL LOL LOL
Eli the Bearded@pdwerryhouse I think sites do that to "cleanly" support multiple ways to authenticate. Ask for password or forward to SSO provider? That sort of thing.
Andy Smith@pdwerryhouse Also services that time you out to an interstitial page that is not the login form, so you can't just log back in again, you have to see the page and click on something. They then use that page to advertise their new features etc.
Mike McCaffrey@pdwerryhouse Stupid enterprise authentication integration adding an extra step for everyone just so some domains can get redirected to different places.
Cleo Menezes Jr. 🌵@pdwerryhouse I just hate this extra step.
Kevin Karhan 
@pdwerryhouse +9001%
It's horribly annoying and slow and doesn't prevent #bots from logging in...
Pfeffiminztee@pdwerryhouse actually semi-useful if users can login using both oidc and via password, but that is only known once the username is known
Hannah@pdwerryhouse
Couldn't agree more.
Couldn't agree more.
mirabilos@pdwerryhouse this is so stupid, indeed!
(and it breaks password managers… I wonder if this is why some do it… Komoot (as one hall-of-shame example) don’t do it for that reason but also “can’t promise” they fix it)
@pdwerryhouse even worse are shitty #cookie "#consent" popups that don't offer a "no" / "decline all" option.
Daniel AJ Sokolov@pdwerryhouse I think they are doing this to fight password managers. But why they want to lower security, I dunno.
Kai Evans@pdwerryhouse I still struggle to really understand the thinking behind it