5

I have noticed lately that instead of having an email address and password entry box on the same page/screen, a lot of websites and apps will instead ask for your email address first, then it will ask for your password in a separate step.

As I use a password manager, this means I cannot just fill in the email address and password in one easy step - I either have to manually type my email address, or I have to autofill with the password manager twice.

My question is: is there a good security reason why they are increasingly doing it this way, or is it just bad UI design?

Wossname
  • 153
  • 3
  • 8
    Does this answer your question? [Is having the username and password fields on different pages more secure?](https://security.stackexchange.com/questions/85160/is-having-the-username-and-password-fields-on-different-pages-more-secure), [Why do some sites ask for username/email and password on two separate screens?](https://security.stackexchange.com/questions/160692/why-do-some-sites-ask-for-username-email-and-password-on-two-separate-screens) – Steffen Ullrich Jan 16 '21 at 06:27

1 Answers1

10

The main reason might be neither, but the ability for conditional authentication steps. Some services e.g. support multiple single-sign on (SSO) providers, and the username is required to pick the correct SSO to forward the user to. Some may even have different authentication methods altogether. From security and privacy perspective this is also a bit problematic, as it may reveal whether a user exists or not.

Esa Jokinen
  • 16,100
  • 5
  • 50
  • 55
  • 1
    Note that a service could look at only the domain of a user before redirecting them to a SSO page, leaving the other part of the email unknown to the attacker – Ferrybig Jan 16 '21 at 12:35
  • If a user doesn't exist then the server still may (and should) serve the standard password method. In that case it doesn't lower security at all. – freakish Jan 16 '21 at 14:34
  • 1
    +1, BUT… That "revealing whether it exists or not" regarding logins is a common myth. That's because you can usually reveal the same information by registering a new user. Of course this doesn't apply in case the registrations are locked. – o0'. Jan 16 '21 at 16:53
  • 1
    @o0'.: It's also possible to arrange the registration in a way that doesn't reveal whether the email address was already used for another account, if email addresses were used as login usernames. The registration form could only say that "if your email address wasn't already in use, follow the confirmation link sent to you in an email". – Esa Jokinen Jan 17 '21 at 07:18