I need to load a second page to enter my password in some sites. Why is this? I even have a site I use that has the username, password and 2FA entries on separate pages that each need to be loaded one after the other.
My uneducated guess is that it makes it harder for bots, but I can’t imagine it being that much of an impedance 🤷
Cheers!
This is called an identity first workflow and is used specifically so that they can route different people to different login ceremonies or providers.
They get your id first, and use that id to determine what your login ceremony is. Perhaps you’re with a business that they have an sso integration with and will send you on to your businesses sso provider, or perhaps you’re a local user for them and get a password screen next.
login ceremony
What pretentious asshole came up with that bit of jargon?
Me…
I will steal it for work without giving credit! Thanks!
Do it! I work in the industry and have found it to be very effective in conversations spanning varying levels of technical expertise.
A good analogy goes a long long way.
identity first workflow and is used specifically so that they can route different people to different login [hamster wheels]
The one thing MADE for JavaScript and no.
It’s often implemented with JavaScript, yes
Different domains need different authentication flows. If the provided email ends in a domain they recognize, instead of prompting for a password you’d be sent to another auth provider to authenticate there.
This is usually the right answer. In the past, logging in was a simple pipeline with no forks along the way. That’s why a simple username + password did the trick. Nowadays, logging in has become a complicated journey with several ways to get to the destination. Once the site knows your email, it knows what’s the next step in your case.
Sometimes it’s just UI/UX, sometimes it’s to deter specific patterns they’ve seen from bots, users, or brute-force. It’s really just subjective. One isn’t necessarily better than the others though it does mess with automated input of credentials a lot of times.
deleted by creator
Nah, that’s ineffective. A simple Captcha and lockout would do more to deter brute forcing than having two different forms.
deleted by creator
I always assumed some sites harvest what ever you enter in the first box. Especially if it’s an email address. But other people in this thread have the legitimate answer.
Some sites check if the account does not exist yet to show a registration form.
its called “enshitification”
there’s a book about it
This login flow has nothing whatsoever to do with enshitification. Websites have used it before that term was coined. As others have said, it’s basically because they use your username to check what login page to send you to.
