326
submitted 2 years ago by redballooon@lemm.ee to c/asklemmy@lemmy.world

Back in the old times, on the sites I log in regularly, my browser filled in both username and password. I clicked "Log in" once, and I was set to go.

But no more. Now it's all first a username, then a password. From what I saw, Apple started this many years ago, but now this bother really spread. And it's not like I can just double-click on the same screen area, oh no. Animations make sure that I have to wait several hundred milliseconds before the password field is there, and depending on the site, I even have to select from my browser, which login I want to use, twice!

Why, oh why?

All my screens are really big enough to display 2 text fields. What are arguments for this behavior? I don't see any.

top 50 comments
sorted by: hot top controversial new old
[-] bus_factor@lemmy.world 161 points 2 years ago* (last edited 2 years ago)

A lot of services these days support multiple forms of authentication. Did you sign up with a separate password? Did you use Google or Facebook auth? Is this a corporate account where auth is via their SSO? They don't even know whether they should ask for your password until they know who you are.

[-] redballooon@lemm.ee 42 points 2 years ago

That’s the best explanation I heard so far.

[-] residentmarchant@lemmy.world 40 points 2 years ago

As someone who just built one of these, that is the exact reason we did it.

It would be cool if users just remembered which service they used to sign in, but they often don't, so this is the next best thing. Tell us your email, we look up which service you used, then send you to that service to complete the login.

[-] tja@sh.itjust.works 15 points 2 years ago

Pro tip: leave the password field on the site but make it invisible. So when I am using my password manager to fill in the username, the password field will be filled out too. And I don't have to use my password manager twice for one login.

[-] attaxia@lemmy.world 9 points 2 years ago

1Password actually is really good at handling these two step login screens, for me it always autofills the password correctly

[-] Plagiatus@lemmy.world 9 points 2 years ago

So far Bitwarden has been doing great for me, too.

[-] NightAuthor@lemmy.world 3 points 2 years ago

Are you using the auto-fill on page load? I heard that is a security risk.

For me I have to <> <>, <> <>

To login to these forms, and on mobile this means unlocking my vault twice (which happens to be a bit annoying bc my Face ID is broken)

load more comments (1 replies)
load more comments (1 replies)
[-] Dianoga@lemm.ee 16 points 2 years ago

This is the answer. I've had to build it a handful of times and it always feels bad.

[-] blackbrook@mander.xyz 3 points 2 years ago

And it's impossible to provide for all these options on one screen, with either a password field that some users ignore or some kind of option selection that either hides or shows it?

[-] bus_factor@lemmy.world 11 points 2 years ago

If you put that much trust in users you are in for a rough time. You'd get tons of "forgot password" requests because people expect to fill in every password field they're presented with. If you ask them what mode of auth they used, they don't know. Heck, I consider myself fairly on top of things, and I don't always remember how I authenticated to some site I rarely visit.

Most users would rather wait for an extra page load than deal with any of the above.

[-] boatswain@infosec.pub 3 points 2 years ago

So exposing information about users (how they log in) without authenticating that you're someone authorized to have that information?

The better way to do this is to just have "log in with Google" or whatever buttons.

load more comments (1 replies)
[-] crowsby@kbin.social 115 points 2 years ago

Similarly, platforms that default to a massive CREATE AN ACCOUNT box centered on the screen and make you play Where's Fucking Waldo trying to find the size 8 "Log In" hyperlink.

[-] Rouxibeau@lemmy.world 16 points 2 years ago

Because new signups are more valuable than existing users.

[-] J4nk@lemmy.world 7 points 2 years ago

That, plus the majority of users seeing the login screen are probably new. At least, unless it's one of those annoying sites that makes you log in every single time.

[-] TheGreenGolem@lemm.ee 5 points 2 years ago

Oh how much I hate it. I want to log in once in my lifetime. You can log me out when I die.

[-] radix@lemmy.world 82 points 2 years ago

I wouldn't mind the separate pages for username / password if the "remember me on this device" checkbox weren't fucking useless 99% of the time.

[-] redballooon@lemm.ee 9 points 2 years ago

Oh yes.

That probably is not covered by the functional cookies that’s the maximum which I allow any site.

[-] ChaoticNeutralCzech@feddit.de 5 points 2 years ago* (last edited 2 years ago)

Microsoft:

Stay signed in?

This will decrease how many login prompts you see.

⬜ Remember on this device

No Yes

Why isn’t the checkbox implied if I press Yes?

[-] SpaceNoodle@lemmy.world 4 points 2 years ago

Is it ever not useless?

load more comments (1 replies)
[-] hperrin@lemmy.world 79 points 2 years ago

I believe it is so they can support various different SSO providers.

Like, oh you're trying to log in as Peter, well you're a member of the Initech domain, which uses the Initrode SSO, so let me redirect you to their SSO login page.

Oh, you're Bill, you just use a password you pleb. Here's your text box.

[-] sebinspace@lemmy.world 13 points 2 years ago

Initech

You wouldn’t happen to have 8 bosses, would you?

load more comments (1 replies)
[-] schnurrito@discuss.tchncs.de 61 points 2 years ago

Nowadays it is possible to set up many services in such a way that you authenticate in a different way from a password, for example with an app on a smartphone. Such services can't ask you for your password until you have told them what account you want to log into because it might turn out you have to give them something other than a password.

[-] bia@lemmy.world 40 points 2 years ago

I think it's due to single sign on (SSO) or other means of authentication (OAUTH), which is convenient when used.

But I agree, annoying if you use username and password.

[-] _number8_@lemmy.world 27 points 2 years ago

yeah i noticed this as well. extremely annoying, i'm sick of UX getting shittier and more annoying for the vague promise of 'security'. having to get my phone out to login to youtube is a fucking downgrade, plain and simple.

[-] Brkdncr@artemis.camp 25 points 2 years ago

Federation. Your email address could either be local creds, or federated with google, Microsoft, Facebook, Apple, etc.

When you submit your email address, it determines how you will be authenticating when you submit it.

[-] adam@discuss.tchncs.de 7 points 2 years ago* (last edited 2 years ago)

That could be done after the user enters both the email/username and password

Edit: sorry, I think I misunderstood what you said, but if someone is using something like "sign in with google", we've had separate buttons for that for ages.

[-] FunkFactory@lemmy.world 4 points 2 years ago

I think it might solve the problem that people often don't remember if they created their account using SSO or with an email/password combo. So the site looks up your email to see what login method you use in order to redirect you to the proper prompt.

load more comments (1 replies)
[-] Bishma@discuss.tchncs.de 24 points 2 years ago* (last edited 2 years ago)

It started as defense against credential stuffing and a speed bump against brute force attacks. Not only is it additional loads for a bot to do, but passive captcha can be put between the steps. Now I think its becoming fashionable.

[-] redballooon@lemm.ee 6 points 2 years ago

Brute force attacks through web interface cannot be a real thing. Performance is much too bad to get anywhere even in great scenarios, plus its be simple to defend against.

But even if, web automation tools don’t need to be bothered by separating input fields. In the end one request is sent anyway.

This is a ux thing.

load more comments (1 replies)
[-] promitheas@iusearchlinux.fyi 11 points 2 years ago

I cant answer about the separation of username/password, but unnecessary animations seem to be a product of the ensh*ttification of the web

[-] uriel238 10 points 2 years ago* (last edited 2 years ago)

There's two reasons I can think of. One is direct resistance by services to password auto-fill during the aughts (it was new and scary) and separating the account field and pass field defeated auto-fill detection at the time. Amazon separated account and password around then and it's been that way since.

The other is your secret picture, a preventative measure against phishing attacks used by banks and other commercial interests, When you create an account, you're asked to select a stock image and a phrase that the site shows you when asking for your password. That way you know it's really the bank's site and not a phishing site.

Right now I think I have only one web account that uses such a protection.

[-] AlwaysNowNeverNotMe@kbin.social 9 points 2 years ago

Probably a security measure to slow down brute forcing

[-] ryannathans@aussie.zone 6 points 2 years ago* (last edited 2 years ago)

As tech gets progressively faster we must find ways to make software slower and less usable otherwise it would be too convenient /s

[-] MyNotPublicAccount@lemmy.world 4 points 2 years ago

Your cynicism is not only unhelpful but also inaccurate.

[-] ryannathans@aussie.zone 2 points 2 years ago

I'm sorry my sarcasm was lost on you

[-] MyNotPublicAccount@lemmy.world 2 points 2 years ago

Thanks for the apology! It can be difficult to convey tone over text.

You may be surprised to hear that lots of people actually believe the position you were sarcastically presenting! Glad you're not one of them.

[-] Oisteink@feddit.nl 6 points 2 years ago

It still gets filled in by all browsers I have. From usability point of view it’s less chance someone press enter after putting in their login name thus leaving the password field empty and getting refused. This will often lead to a disruption friction of their workflow (don’t know the proper English word)

[-] ChaoticNeutralCzech@feddit.de 5 points 2 years ago

The JS to detect an empty password field and only enabling Enter onchange is way simpler than the code for two separate pages. I actually implemented the former once.

load more comments (3 replies)
[-] bappity@lemmy.world 5 points 2 years ago* (last edited 2 years ago)

Google does this best. It hides the password field but it can still be picked up by bitwarden and other password managers so will already be auto-filled when you press next.

I still hate that form of login though.

[-] Kalkaline@leminal.space 2 points 2 years ago

I assume it's to prevent some sort of automated process from trying a username and password over and over again, but that seems easy to get around.

[-] Tarquinn2049@lemmy.world 2 points 2 years ago

Companies lose money when their customers get complacent with security. This is one method to increase engagement with the log in process to minimize inattention. Obviously it goes counter to the opposite goal of reducing friction with the UI, they try to balance somewhere between both.

[-] Taleya@aussie.zone 2 points 2 years ago

The biggest cause of data compromisation is the damned companies themselves, not the users

load more comments (8 replies)
load more comments
view more: next ›
this post was submitted on 02 Oct 2023
326 points (100.0% liked)

Ask Lemmy

33033 readers
1207 users here now

A Fediverse community for open-ended, thought provoking questions


Rules: (interactive)


1) Be nice and; have funDoxxing, trolling, sealioning, racism, and toxicity are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them


2) All posts must end with a '?'This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?


3) No spamPlease do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.


4) NSFW is okay, within reasonJust remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either !asklemmyafterdark@lemmy.world or !asklemmynsfw@lemmynsfw.com. NSFW comments should be restricted to posts tagged [NSFW].


5) This is not a support community.
It is not a place for 'how do I?', type questions. If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email info@lemmy.world. For other questions check our partnered communities list, or use the search function.


6) No US Politics.
Please don't post about current US Politics. If you need to do this, try !politicaldiscussion@lemmy.world or !askusa@discuss.online


Reminder: The terms of service apply here too.

Partnered Communities:

Tech Support

No Stupid Questions

You Should Know

Reddit

Jokes

Ask Ouija


Logo design credit goes to: tubbadu


founded 2 years ago
MODERATORS