why do so many sites make you log in with a box for you to put your email which you have to submit before they'll show the password box and then you have to submit that again, what possible purpose does it serve?? I assume it's not checking your email is on their system before letting you enter a password cos that sounds like a security flaw
@wolfie I think it's mostly because some people will be logging in via Single Sign-On according to their account settings, and therefore won't be prompted for a password.
In the early days of this practice, it really messed with password managers, but now they seem to handle it better. I'm not sure on which end things improved.
I don't think it meaningfully helps against brute force attempts, though.
@varx I'm not sure what you mean by single sign on? On any site I've ever seen this I have to enter the email/username and then it loads the password box after you submit
@wolfie Single Sign-On (SSO) is when you delegate authentication to some third party. A classic example of this is "Sign in with Facebook". The site sends you off to Facebook, then Facebook authenticates you and redirects back with a token indicating and vouching for your identity.
But there's another variation where you give your identity first, and *then* the SSO flow kicks off. This is common for corporations and universities and looks like this: Try to go to GMail; Google asks for your email address; Google sees that you entered email@example.com and that the Example Corporation has a special sign-in flow; Google redirects to Okta or OneLogin or some other SSO Identity Provider (IdP); the IdP redirects back vouching for your identity; you finally get to your mail.
The "only email first" pattern (partially) exists to support this -- it has to check your email address to know whether you'll even be signing in with a password.
@wolfie You're totally right, by the way, that it's a security flaw to reveal whether an email address is registered with the site. But there are enough good reasons to do it from a usability perspective that some sites will just accept the risk. 🤷
the mastodon instance at cybre.space is retired
see the end-of-life plan for details: https://cybre.space/~chr/cybre-space-eol