Are login forms that ask for your username and password on two different pages more secure?

Publish Date: Feb 25 '19

10 15

It’s becoming more and more common: instead of a login form where you fill your e-mail or username and your password, you first have to fill your username and submit the form a first time for the password field to appear on the second page (which is often loaded via Ajax, but the fact that the URL doesn’t change doesn’t make the problem disappear).

There is no need to discuss the fact that it’s annoying, but it seems that companies choose to do so because they believe it’s more secure. Is it really? And if so, why?

(Cover image by Del.)

Comments 15 total

Olivier “Ölbaum” ScherlerFeb 25, 2019

My opinion is that this trend is the result of Cargo Cult Security: the others are doing it, so it must be more secure. So when people ask me why I am doing it, I will tell them, without further justification, that it’s for security, and they will in turn believe that it’s more secure.

Another possible explanation is that it’s a misunderstanding of the meaning of the term “2-step verification.” The login form asks for your username and password in two different steps, and we all know (believe?) that 2-step verification is more secure.
- Quentin SonrelFeb 25, 2019
  
  I doubt it's a misunderstanding of "2-step authentication" because even big companies (like Google) are doing it, I'm pretty sure they know the difference.
  
  Maybe it's just a design trend, I don't know, but either way it's annoying as hell.
  - Mihail MaloFeb 25, 2019
    
    IDK, LastPass seems to be doing fine with it.
Kevin WoblickFeb 25, 2019
I cannont think of a reason why this should be more secure. From what I know this is a thing where federated accounts may be used. They first check your email to determine if they have to redirect you to another site of ask you for a password.

Related blog article from Brad Frost: bradfrost.com/blog/post/dont-get-c... with hundreds of interesting comments on HN: news.ycombinator.com/item?id=19171402
- Olivier “Ölbaum” ScherlerFeb 25, 2019
  
  It’s a good point. Also, it’s that article that reminded me of a ticket I had open about this with the security excuse, which in turn prompted this discussion.
Sergey KislyakovFeb 25, 2019
The only form I remember that does that is Google auth. I guess that's some sort of UX, because you can either sign in or sign up (login/register for those who struggle to understand these dumb sign-things, like me) using the same form. And it's not more secure in any way.
- Olivier “Ölbaum” ScherlerFeb 25, 2019
  
  I also struggle with sign in and sign up, as English is not my mother tongue. I know the difference, but I have to stop and think. Also, there isn’t enough difference visually to distinguish them without reading.
  
  Google auth is the most broken login form I have seen in my life. If you’re unlucky enough to have more that one account, you can be sure you’re constantly half-logged-in (it remembers you but still wants your password) to the wrong one and the only way to stop it is to log in so you can log out. And start again next time you need to switch accounts (maybe it improved recently, but it’s been awful like that for a while).
Matteo RigonFeb 25, 2019
I think It's not a security measure per-se, but just a way to provide optional multi-factor authentication.
When you submit your username/email the server can check to see if it's a suspicious or legit login attempt and render more or less additional input fields accordingly.
Most of us just see an email field on the first step and a password field on the second step and think its a bit silly but if you get prompted with additional fields based on some criteria it seems a pretty clean solution
- Olivier “Ölbaum” ScherlerFeb 25, 2019
  In multi-factor authentication, the second factor is usually triggered after you successfully typed your password (otherwise anyone could flood people with SMS codes just by filling their e-mail address).
  - Sergey KislyakovFeb 25, 2019
    
    You could technically perform some security audit upon entering e-mail, e.g. if you keep tracking of login attempts. If there are 18493 successful logins from 1.1.1.1 and then someone tries to log in from 2.2.2.2, you could already alert an user about some suspicious attempt.
Brandon XversialFeb 25, 2019
This is more secure and has a few extra benefits.
- Makes generic http(s) form interception much more difficult.
- Allows synchronous user specific logic defined by the server without the need for preset JavaScript or an added roundtrip.
- Debatably improves UX
  
  ex. Add logic to determine if the user exists, and if not show them the registration form instead of requesting a password. !!! Please note the security risk involved with doing this!!!
- Cleans up the page
I would like to add in addition that you can accomplish the second bullet point using Javascript alternatively.
For example, you could add Javascript logic to listen for changes to the email text input, and conditionally redirect the user if they put an email with specific domain(s).
- Olivier “Ölbaum” ScherlerFeb 25, 2019
  Do you mean that if you can intercept and decode HTTPS traffic but only on 50% of requests, then you have 25% percent of chance to intercept both username and password?
  
  The two-step form already is an added roundtrip, and in addition requires user interaction to it’s a thousand times slower than an Ajax roundtrip;
  
  Right. It’s almost as good a feature as the “This password is already used by user SoonToBeP0wned666, please choose another one” error message;
  
  Excuse me?
  - Sergey KislyakovFeb 25, 2019
    
    Right. It’s almost as good a feature as the “This password is already used by user SoonToBeP0wned666, please choose another one” error message;
    
    To be honest, it's not that much of a difference with the traditional approach when you send e-mail and password at the same time. You'd still receive an error telling you that this e-mail is taken/invalid password, so asking the e-mail first does not make that much of a difference, but it really improves the UX imo (I don't have to go to the register page if the e-mail is not found, the form would change itself on the fly).
    
    Makes generic http(s) form interception much more difficult.
    
    How?
Phil NashJul 31, 2019

I don't believe that this has anything to do with extra security. What it does allow for is the site to detect whether your account is associated with a single sign on provider. Then, you get redirected to your provider instead of being asked for your password.

My colleague Kelley did a great write up on why the username and password might be on different pages in which she discusses the security implications as well as other interface considerations. Hopefully that clears things up a bit.
Ruslan ShashkovNov 29, 2019

Those forms must die in a triple-agony. I hope the times will come when this dumbest trend will be gone. I hate when I'm logging in Amazon, Google, Apple, every f...ng site and having a scenario like:

– Click the email field, select my saved creds, unlock with my fingerprint, click next, wait...
– Click the password field, select my f...ng saved creds one more f...ng time, click f...ng next, done...
– Oh no!!! I've accidentally selected the f...ng other creds one the f...ng second bloody step!!! Ffffffffffff...k!!!
– F...ng click the f...ng password f...ng field, f...ng select my f...ng saved creds one more bloody f...ng time, click f...ng bloody next button, now f...ng done OMG!

I hate that! Why are they doing that?

Add comment

Olivier “Ölbaum” Scherler @oscherler

Are login forms that ask for your username and password on two different pages more secure?

Comments 15 total