Back in the old times, on the sites I log in regularly, my browser filled in both username and password. I clicked “Log in” once, and I was set to go.

But no more. Now it’s all first a username, then a password. From what I saw, Apple started this many years ago, but now this bother really spread. And it’s not like I can just double-click on the same screen area, oh no. Animations make sure that I have to wait several hundred milliseconds before the password field is there, and depending on the site, I even have to select from my browser, which login I want to use, twice!

Why, oh why?

All my screens are really big enough to display 2 text fields. What are arguments for this behavior? I don’t see any.

  • bus_factor@lemmy.world
    link
    fedilink
    arrow-up
    102
    ·
    edit-2
    1 year ago

    A lot of services these days support multiple forms of authentication. Did you sign up with a separate password? Did you use Google or Facebook auth? Is this a corporate account where auth is via their SSO? They don’t even know whether they should ask for your password until they know who you are.

    • Dianoga@lemm.ee
      link
      fedilink
      arrow-up
      14
      ·
      1 year ago

      This is the answer. I’ve had to build it a handful of times and it always feels bad.

    • blackbrook@mander.xyz
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      And it’s impossible to provide for all these options on one screen, with either a password field that some users ignore or some kind of option selection that either hides or shows it?

    • boatswain@infosec.pub
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      So exposing information about users (how they log in) without authenticating that you’re someone authorized to have that information?

      The better way to do this is to just have “log in with Google” or whatever buttons.

      • bus_factor@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        As I mentioned elsewhere in the thread, most users don’t remember what they used when they created the account, particularly if it’s something they don’t use often. It’s also cumbersome to have to input that, especially if you bundle that with an optional password field.

        That’s not to say you don’t have a point about leaking that information. Personally I’d be more concerned about leaking the fact that I have an account at all. If this is a concern for you, you are likely not inclined to use the likes of Google Auth or Facebook Auth. You’d be better off using a unique password for each service, store them in some sort of password manager, and rely on the default behavior treating “local account” and “no account” the same in terms of showing you the password field.

        Maybe that’s not your preferred behavior, but it does allow you to keep that data private while simultaneously being easier to use for the SSO users.

  • radix@lemmy.world
    link
    fedilink
    English
    arrow-up
    64
    ·
    1 year ago

    I wouldn’t mind the separate pages for username / password if the “remember me on this device” checkbox weren’t fucking useless 99% of the time.

  • crowsby@kbin.social
    link
    fedilink
    arrow-up
    62
    arrow-down
    1
    ·
    1 year ago

    Similarly, platforms that default to a massive CREATE AN ACCOUNT box centered on the screen and make you play Where’s Fucking Waldo trying to find the size 8 “Log In” hyperlink.

      • J4nk@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        That, plus the majority of users seeing the login screen are probably new. At least, unless it’s one of those annoying sites that makes you log in every single time.

  • schnurrito@discuss.tchncs.de
    link
    fedilink
    arrow-up
    33
    ·
    1 year ago

    Nowadays it is possible to set up many services in such a way that you authenticate in a different way from a password, for example with an app on a smartphone. Such services can’t ask you for your password until you have told them what account you want to log into because it might turn out you have to give them something other than a password.

  • bia@lemmy.world
    link
    fedilink
    arrow-up
    32
    ·
    1 year ago

    I think it’s due to single sign on (SSO) or other means of authentication (OAUTH), which is convenient when used.

    But I agree, annoying if you use username and password.

  • 👍Maximum Derek👍@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    18
    arrow-down
    2
    ·
    edit-2
    1 year ago

    It started as defense against credential stuffing and a speed bump against brute force attacks. Not only is it additional loads for a bot to do, but passive captcha can be put between the steps. Now I think its becoming fashionable.

    • redballooon@lemm.eeOP
      link
      fedilink
      arrow-up
      5
      arrow-down
      7
      ·
      1 year ago

      Brute force attacks through web interface cannot be a real thing. Performance is much too bad to get anywhere even in great scenarios, plus its be simple to defend against.

      But even if, web automation tools don’t need to be bothered by separating input fields. In the end one request is sent anyway.

      This is a ux thing.

  • Brkdncr@artemis.camp
    link
    fedilink
    arrow-up
    10
    ·
    1 year ago

    Federation. Your email address could either be local creds, or federated with google, Microsoft, Facebook, Apple, etc.

    When you submit your email address, it determines how you will be authenticating when you submit it.

    • Ádám@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      1 year ago

      That could be done after the user enters both the email/username and password

      Edit: sorry, I think I misunderstood what you said, but if someone is using something like “sign in with google”, we’ve had separate buttons for that for ages.

      • FunkFactory@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        I think it might solve the problem that people often don’t remember if they created their account using SSO or with an email/password combo. So the site looks up your email to see what login method you use in order to redirect you to the proper prompt.

      • Devion@feddit.nl
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        Yes, with a limited set of federations you can have the user make that choice beforehand. But sometimes the options are changing all the time and/or you don’t want to announce all the services you’re federating with, or it wouldn’t make sense anyway.

  • Oisteink@feddit.nl
    link
    fedilink
    arrow-up
    5
    arrow-down
    1
    ·
    1 year ago

    It still gets filled in by all browsers I have. From usability point of view it’s less chance someone press enter after putting in their login name thus leaving the password field empty and getting refused. This will often lead to a disruption friction of their workflow (don’t know the proper English word)

    • ChaoticNeutralCzech@feddit.de
      link
      fedilink
      arrow-up
      4
      ·
      1 year ago

      The JS to detect an empty password field and only enabling Enter onchange is way simpler than the code for two separate pages. I actually implemented the former once.

      • Oisteink@feddit.nl
        link
        fedilink
        arrow-up
        1
        arrow-down
        1
        ·
        1 year ago

        Sure - but quite often it’s about doing what’s easy for the users/customers rather than programmers

          • Oisteink@feddit.nl
            link
            fedilink
            arrow-up
            0
            arrow-down
            1
            ·
            1 year ago

            I’m not saying it IS a better solution, just that it might be. Did you do any usability testing on the two solutions and want to share some insight?
            And I do think that if your decision on UX comes down to what’s easy to code you are wrong.

  • promitheas@iusearchlinux.fyi
    link
    fedilink
    arrow-up
    6
    arrow-down
    2
    ·
    1 year ago

    I cant answer about the separation of username/password, but unnecessary animations seem to be a product of the ensh*ttification of the web

  • Bappity@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    Google does this best. It hides the password field but it can still be picked up by bitwarden and will already be auto-filled when you press next.

    I still hate that form of login though.

  • Uriel238 [all pronouns]@lemmy.blahaj.zone
    link
    fedilink
    arrow-up
    2
    arrow-down
    1
    ·
    edit-2
    1 year ago

    There’s two reasons I can think of. One is direct resistance by services to password auto-fill during the aughts (it was new and scary) and separating the account field and pass field defeated auto-fill detection at the time. Amazon separated account and password around then and it’s been that way since.

    The other is your secret picture, a preventative measure against phishing attacks used by banks and other commercial interests, When you create an account, you’re asked to select a stock image and a phrase that the site shows you when asking for your password. That way you know it’s really the bank’s site and not a phishing site.

    Right now I think I have only one web account that uses such a protection.

  • Kalkaline @leminal.space
    link
    fedilink
    arrow-up
    1
    arrow-down
    1
    ·
    1 year ago

    I assume it’s to prevent some sort of automated process from trying a username and password over and over again, but that seems easy to get around.

  • ryannathans@aussie.zone
    link
    fedilink
    arrow-up
    4
    arrow-down
    5
    ·
    1 year ago

    As tech gets progressively faster we must find ways to make software slower and less usable otherwise it would be too convenient