why do so many sites make you log in with a box for you to put your email which you have to submit before they'll show the password box and then you have to submit that again, what possible purpose does it serve?? I assume it's not checking your email is on their system before letting you enter a password cos that sounds like a security flaw
found a question on stack exchange about it, it apparently is good because it decouples parts of the log in process and reduces brute force attempts, but also it makes auto fill incredibly tedious so meh
@wolfie I think it's mostly because some people will be logging in via Single Sign-On according to their account settings, and therefore won't be prompted for a password.
In the early days of this practice, it really messed with password managers, but now they seem to handle it better. I'm not sure on which end things improved.
I don't think it meaningfully helps against brute force attempts, though.
@varx I'm not sure what you mean by single sign on? On any site I've ever seen this I have to enter the email/username and then it loads the password box after you submit
@wolfie Single Sign-On (SSO) is when you delegate authentication to some third party. A classic example of this is "Sign in with Facebook". The site sends you off to Facebook, then Facebook authenticates you and redirects back with a token indicating and vouching for your identity.
But there's another variation where you give your identity first, and *then* the SSO flow kicks off. This is common for corporations and universities and looks like this: Try to go to GMail; Google asks for your email address; Google sees that you entered wolfie@example.com and that the Example Corporation has a special sign-in flow; Google redirects to Okta or OneLogin or some other SSO Identity Provider (IdP); the IdP redirects back vouching for your identity; you finally get to your mail.
The "only email first" pattern (partially) exists to support this -- it has to check your email address to know whether you'll even be signing in with a password.
@wolfie The real fun is that you can have a whole chain of identity providers, where Corporate Internal App delegates to Corporate Identity Provider which delegates to Google which delegates to Okta or some other awful sequence like that. (I can't think of a real example at the moment, but I've seen one.)
@wolfie You're totally right, by the way, that it's a security flaw to reveal whether an email address is registered with the site. But there are enough good reasons to do it from a usability perspective that some sites will just accept the risk. 🤷
