2022-05-01 Two-step Login Pages
May 1, 2022•369 words
Nothing annoys me more than websites that force a two-step login flow. Seriously. Typical examples include Google, Microsoft, or most Big Tech companies -- when logging into their service, you have to first enter your account ID, and then wait for a (fake) progress bar to load, only after which can you start to enter your password.
I don't know what is the principle behind such a design. Maybe it is for security, by which I mean maybe they can go through some heuristics in the backend after you only entered your account ID to decide whether to even let you try a password, reducing possible attack surface. But I seriously doubt how much information can you extract from just entering the account ID in the browser. Besides, a well-designed password authentication system should be resistant to brute-force attempts in the first place.
The reason I hate such a flow so much is that it breaks the flow of password manager usage. Normally, when a website allows you to enter both the account and password in the login page, there is just one click and maybe a master password prompt, and then you are done logging into that service. Not in this case. I have to bring up my password manager, find my account ID for said website, click next, wait, and then bring up the password manager again for the password. Under stricter security policies in the password manager, this would mean entering my master password or whatever credential twice for one login session. That is purely annoying.
I am fully aware that not everyone uses a password manager -- but more and more are adopting this arguably more secure option online, and it seems weird to me so many services are still hostile to such solutions. Some websites and apps even disallow pasting into / invoking password manager plugins on the password field. But again, maybe I am just ignorant about all the benefits of doing two-step login pages, or maybe using password managers is just a false sense of security. If any reader knows a deeper reason why, I'd be happy to have a more detailed discussion, which may result in an actual blog post :)