Back in the old times, on the sites I log in regularly, my browser filled in both username and password. I clicked “Log in” once, and I was set to go.
But no more. Now it’s all first a username, then a password. From what I saw, Apple started this many years ago, but now this bother really spread. And it’s not like I can just double-click on the same screen area, oh no. Animations make sure that I have to wait several hundred milliseconds before the password field is there, and depending on the site, I even have to select from my browser, which login I want to use, twice!
Why, oh why?
All my screens are really big enough to display 2 text fields. What are arguments for this behavior? I don’t see any.
A lot of services these days support multiple forms of authentication. Did you sign up with a separate password? Did you use Google or Facebook auth? Is this a corporate account where auth is via their SSO? They don’t even know whether they should ask for your password until they know who you are.
That’s the best explanation I heard so far.
This is the answer. I’ve had to build it a handful of times and it always feels bad.
So exposing information about users (how they log in) without authenticating that you’re someone authorized to have that information?
The better way to do this is to just have “log in with Google” or whatever buttons.
As I mentioned elsewhere in the thread, most users don’t remember what they used when they created the account, particularly if it’s something they don’t use often. It’s also cumbersome to have to input that, especially if you bundle that with an optional password field.
That’s not to say you don’t have a point about leaking that information. Personally I’d be more concerned about leaking the fact that I have an account at all. If this is a concern for you, you are likely not inclined to use the likes of Google Auth or Facebook Auth. You’d be better off using a unique password for each service, store them in some sort of password manager, and rely on the default behavior treating “local account” and “no account” the same in terms of showing you the password field.
Maybe that’s not your preferred behavior, but it does allow you to keep that data private while simultaneously being easier to use for the SSO users.
And it’s impossible to provide for all these options on one screen, with either a password field that some users ignore or some kind of option selection that either hides or shows it?