I need to load a second page to enter my password in some sites. Why is this? I even have a site I use that has the username, password and 2FA entries on separate pages that each need to be loaded one after the other.
My uneducated guess is that it makes it harder for bots, but I can’t imagine it being that much of an impedance 🤷
Cheers!
Some sites check if the account does not exist yet to show a registration form.
This is generally done when you have customers with SSO, the first one will take the email and if the domain is ssod it forces them through a particular workflow. Otherwise you get the other normal username/password flow
This is called an identity first workflow and is used specifically so that they can route different people to different login ceremonies or providers.
They get your id first, and use that id to determine what your login ceremony is. Perhaps you’re with a business that they have an sso integration with and will send you on to your businesses sso provider, or perhaps you’re a local user for them and get a password screen next.
login ceremony
What pretentious asshole came up with that bit of jargon?
Me…
I love it
I will steal it for work without giving credit! Thanks!
Do it! I work in the industry and have found it to be very effective in conversations spanning varying levels of technical expertise.
Lol I’ve never heard that term but it actually does kind of work. Auth is something that is very standardised with it’s communication between the FE and BE so the login flow could be compared to a ceremony. Kind of a silly way to describe it though
I’m sure we can work daemons in somehow
That doesn’t explain why my Synology NAS does it, though, because I don’t believe the web portal has the ability to handle different authentication flows.
I think it might also be a barrier against brute force attacks.
Synology offers cloud services and business level support for their enterprise products. They do support different authentication workflows, they are just not all included with the consumer products.
I’ve never used Synology stuff but it could be future proofing or a default feature of the authentication service/provider they’re using (if they are using one).
For a NAS, it actually seems like something corporate customers would very much want to have SSO support for so I’d actually be surprised if there wasn’t some way to set it up already
identity first workflow and is used specifically so that they can route different people to different login [hamster wheels]
The one thing MADE for JavaScript and no.
It’s often implemented with JavaScript, yes
Different domains need different authentication flows. If the provided email ends in a domain they recognize, instead of prompting for a password you’d be sent to another auth provider to authenticate there.
This is usually the right answer. In the past, logging in was a simple pipeline with no forks along the way. That’s why a simple username + password did the trick. Nowadays, logging in has become a complicated journey with several ways to get to the destination. Once the site knows your email, it knows what’s the next step in your case.
I always assumed some sites harvest what ever you enter in the first box. Especially if it’s an email address. But other people in this thread have the legitimate answer.
Sometimes it’s just UI/UX, sometimes it’s to deter specific patterns they’ve seen from bots, users, or brute-force. It’s really just subjective. One isn’t necessarily better than the others though it does mess with automated input of credentials a lot of times.
deleted by creator
Nah, that’s ineffective. A simple Captcha and lockout would do more to deter brute forcing than having two different forms.
deleted by creator
its called “enshitification”
there’s a book about it
