I see this more and more lately: go to log in to some site, and they only show the username field. Enter username, click Submit, then a password field appears. Enter password, click Submit again, and then we’re logged in.

This makes using a password manager super annoying, because I have to trigger the autofill twice.

Is there some security-related reason more sites are doing this? Is it an anti-bot thing? I’m just really curious, because it seems so pointless on its face, but it seems to be spreading.

  • DonWito@lemmy.techtailors.net
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    It’s done this way for SSO. Sometimes instead of providing the password you will be redirected to your company’s SSO based on the email address domain.

  • Stirnlappenbasilisk@feddit.de
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    This makes using a password manager super annoying, because I have to trigger the autofill twice.

    Some - if not most - password managers let you configure the auto-type-sequence for each password individually (e.g. KeePassXC). Just change the default {USERNAME}{TAB}{PASSWORD}{ENTER} to {USERNAME}{ENTER}{DELAY X}{PASSWORD}{ENTER} with X being a delay in milliseconds that pauses the sequence until the new page has loaded completely.

  • body_by_make@lemmy.dbzer0.com
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    As the other person said, this is a classic SSO pattern. Your email or sometimes just organization ID that you enter in that field will send you off somewhere else to sign in, then you don’t get the password field at all.

  • debaser@lemmy.ca
    link
    fedilink
    arrow-up
    0
    ·
    1 year ago

    I don’t have an answer for your original question, but I have noticed some forms still auto fill the password field. Guessing it’s handled by hiding and un-hiding via css, so the extension can still find it and auto fill

    I think PayPal may be one off the top of my head if I’m not mistaken

  • skip0110@lemm.ee
    link
    fedilink
    arrow-up
    0
    ·
    1 year ago

    If the transition was anything but fake (i.e. they do something with the user name before showing the passwordfield) I feel like that would be a bigger security hole. A leak of some sort of info about the username maybe.

    • body_by_make@lemmy.dbzer0.com
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      They usually just check if it needs to go to an SSO sign in. The only thing that will happen is if the email or org id you entered belongs to an SSO identity then you’ll be taken somewhere else to login. Otherwise, whether the username/email exists or not, it’s the same password flow.