I have noticed many website going to a two-page (not two-factor) login system - where you enter your username on page 1 and click submit, and then enter your password on page two and click submit.
What are the benefits to doing this vs having username and password on one page and clicking submit? Is it only to avoid passwords from accidentally being put into the username field?
From a pure functional perspective, the 2 page system sometimes allows for home realm discovery (where the user has accounts in more than one system)
For example, Microsoft has something called the Microsoft Account and the Organizational Account. The username feature allows HRD to redirect to the correct authenticating server. This feature is live and active for all Azure, O365, and related sites.
For clarification:
LiveID, or Passport is now known as the Microsoft Account
Azure Active Directory, Office 365, WAAD, and possibly ADFS all use "Organizational Accounts"
It is possible to have an account in the form of user@company.com at one or both directories. You can test for the presence of an account in one or the other directory by checking the JSON available here
https://login.microsoftonline.com/GetUserRealmExtended.srf?login=EMAIL@COMPANY.com
or
http://odc.officeapps.live.com/odc/emailhrd/getidp?hm=0&emailAddress=USER%COMPANY.com
I've seen this used in systems like SiteKey that some banks use on websites. The idea here is that once the user has identified themselves on page one by entering a username, the application the provides some information (in the case of SiteKey a picture and phrase chosen by the user during enrollment), which is intended to assure the user that they are on the correct site before they enter their password.
Whether this has actual security benefits against standard attackers is debatable (i.e. it could be possible for attackers to act as a Man-in-the-middle and relay the username on to the site, retrieve the image and show this to the user)
One other benefit is that users can very easily find a login form if you have a username entry field on the front page, among all the ads and links and other content. Then when they submit their username, the password usually gets entered on a very bare-bones page with only a password field.
I always look for the lock icon in general, but it makes me feel just a little less safe if I'm entering a password alongside a bunch of ad scripts and other potential attack surfaces. So splitting the login like that could conceivably add a little security by reducing the possible attack surface for grabbing a password. At the very least it gives that perception.
Of course the better solution might just be to provide a separate dedicated login page that asks for both username and password and just have a big LOGIN button on the homepage that takes you there.
In addition to halfbit's answer, sometimes it may even be the only possible way.
Google implemented long ago the passwordless login with phone notification confirmation. This way, after entering your username Google will check whether to prompt for a password or display the phone notification page, skipping the password prompt.
Another benefit is, that a built-in password manager wouldn't recognize the login form on the first page. So it wouldn't prefill the username, or list the accounts. This might be an advantage when you share a computer with others. Still, I'd prefer to disable the password manager in such an environment.
