2022-05-01 Two-step Login Pages

May 1, 2022•369 words

Nothing annoys me more than websites that force a two-step login flow. Seriously. Typical examples include Google, Microsoft, or most Big Tech companies -- when logging into their service, you have to first enter your account ID, and then wait for a (fake) progress bar to load, only after which can you start to enter your password.

I don't know what is the principle behind such a design. Maybe it is for security, by which I mean maybe they can go through some heuristics in the backend after you only entered your account ID to decide whether to even let you try a password, reducing possible attack surface. But I seriously doubt how much information can you extract from just entering the account ID in the browser. Besides, a well-designed password authentication system should be resistant to brute-force attempts in the first place.

The reason I hate such a flow so much is that it breaks the flow of password manager usage. Normally, when a website allows you to enter both the account and password in the login page, there is just one click and maybe a master password prompt, and then you are done logging into that service. Not in this case. I have to bring up my password manager, find my account ID for said website, click next, wait, and then bring up the password manager again for the password. Under stricter security policies in the password manager, this would mean entering my master password or whatever credential twice for one login session. That is purely annoying.

I am fully aware that not everyone uses a password manager -- but more and more are adopting this arguably more secure option online, and it seems weird to me so many services are still hostile to such solutions. Some websites and apps even disallow pasting into / invoking password manager plugins on the password field. But again, maybe I am just ignorant about all the benefits of doing two-step login pages, or maybe using password managers is just a false sense of security. If any reader knows a deeper reason why, I'd be happy to have a more detailed discussion, which may result in an actual blog post :)

👍❤️🫶👏👌🤯🤔😂😍😭😢😡😮

Subscribe to the author

You'll only receive email when they publish something new.

More from Snowy Day with Peter
All posts

2022-04-27 Contemporary Google-fu

April 27, 2022•491 words

Google-fu has been important since the dawn of the modern internet. Except nowadays, simply knowing how to search for answers is in no way enough. It could even be dangerous sometimes -- this article shows an example of how Google search results are filled with questionable health advice produced by marketing teams -- and without the ability to filter them out in your brain, it is very hard to extract anything useful from such searches. It is not limited to just health-related queries. Even whe...

Read post

2022-05-08 eSIM, and the Sad State of AOSP

May 8, 2022•783 words

The current state of AOSP (Android Open-Source Project) is sad. Or rather, sad from a user / third-party developer perspective. I'm sure this same opinion has been reiterated a million times across the Internet, but my recent endeavor with eSIM only proved this point even more. For the longest time, I thought eSIM was a huge threat to user freedom on Android devices, because I believed all of them had proprietary interfaces that can only be operated through a proprietary vendor app, which often...

Read post

2022-05-01 Two-step Login Pages

More from Snowy Day with PeterAll posts

2022-04-27 Contemporary Google-fu

2022-05-08 eSIM, and the Sad State of AOSP

More from Snowy Day with Peter
All posts