Why are sites switching to two page login processes
May 29, 2016 7:53 AM Subscribe
Tumblr and Google are now using two page login processes where you first enter your username or email and then are sent to a second page to enter your password. What's the reason/logic behind this switch from the standard two item form?
Response by poster: Found a decent'ish' answer on Stack Exchange which highlights interface consistency across platforms and future phishing protection via personalized screens at the password stage based on a verified email addresses (though those could easily be scraped by phishers so ???).
posted by srboisvert at 8:51 AM on May 29, 2016
posted by srboisvert at 8:51 AM on May 29, 2016
Response by poster: oh and also mentioned is a dark pattern of deliberate inconvenience to try and encourage users to remain logged in.
posted by srboisvert at 8:53 AM on May 29, 2016 [4 favorites]
posted by srboisvert at 8:53 AM on May 29, 2016 [4 favorites]
srboisvert - from the 'Original Announcement' link in the first answer:
"We’ll only show this information if you are signing in from a location or device you’ve signed in from before, like your home computer."
I think that's what keeps phishers from scraping that page.
posted by jpziller at 8:56 AM on May 29, 2016
"We’ll only show this information if you are signing in from a location or device you’ve signed in from before, like your home computer."
I think that's what keeps phishers from scraping that page.
posted by jpziller at 8:56 AM on May 29, 2016
Best answer: From the original announcement link, you also see this item:
A better experience for SAML SSO users, such as university students or corporate users that sign in with a different identity provider than Google
This is a huge area for corporate users and it is something I see every day as a user. To translate this into plainer English, the responsibility for authenticating the user in this scenario doesn't belong to Google (or Microsoft or etc.) but rather the corporation or university that you belong to. That is important because a corporation's identity process is likely tied into all sorts of other internal systems and is likely subjected to other regulations. It also means this is a way for you to use a single identity for internal corporate systems as well as public cloud-type services.
The interaction breaks down like this:
1. You go to the login screen
2. You type in your e-mail address and then hit enter
3. The system looks up your e-mail address and sends you to the proper url to collect your credentials that prove you are who you say you are...note that in this scenario, this url that collects your credentials doesn't have to be run by Google/Microsoft/etc. but rather can be run by your employer or university.
4. You provide your password/biometrics/certificates/etc. to the system checking your credentials and if you pass, you are sent back to the original system along with a hidden, securely signed token that represents you. The original system can use this token along with the system that issued the token to identify who you say you are.
-=-=-=-=-
In addition to the above, this model as they mention allows for people to use different forms of password alternatives. In the case of my employer in this scenario, I can choose to respond to these types of requests with the traditional e-mail address + password or if I am on my corporate PC, I can choose to authenticate with digital certificates that are securely stored on my computer. This is also the avenue for people to experiment with iris scanners, fingerprinter readers, two factor tokens, short codes sent in text messages, etc.
All of these things would be hard to do on a single login screen. It is also hard to do with large cloud services where each user's organization has a different subset of these choices available to them. Lastly you could say, "but I'm just a non-commercial end user, why are they making me do this?" Well, part of it is unifying the code base so that the product works the same for all types of users and part of it is people just blindly emulating the people that are doing this for a very specific reason.
posted by mmascolino at 9:14 AM on May 29, 2016 [17 favorites]
A better experience for SAML SSO users, such as university students or corporate users that sign in with a different identity provider than Google
This is a huge area for corporate users and it is something I see every day as a user. To translate this into plainer English, the responsibility for authenticating the user in this scenario doesn't belong to Google (or Microsoft or etc.) but rather the corporation or university that you belong to. That is important because a corporation's identity process is likely tied into all sorts of other internal systems and is likely subjected to other regulations. It also means this is a way for you to use a single identity for internal corporate systems as well as public cloud-type services.
The interaction breaks down like this:
1. You go to the login screen
2. You type in your e-mail address and then hit enter
3. The system looks up your e-mail address and sends you to the proper url to collect your credentials that prove you are who you say you are...note that in this scenario, this url that collects your credentials doesn't have to be run by Google/Microsoft/etc. but rather can be run by your employer or university.
4. You provide your password/biometrics/certificates/etc. to the system checking your credentials and if you pass, you are sent back to the original system along with a hidden, securely signed token that represents you. The original system can use this token along with the system that issued the token to identify who you say you are.
-=-=-=-=-
In addition to the above, this model as they mention allows for people to use different forms of password alternatives. In the case of my employer in this scenario, I can choose to respond to these types of requests with the traditional e-mail address + password or if I am on my corporate PC, I can choose to authenticate with digital certificates that are securely stored on my computer. This is also the avenue for people to experiment with iris scanners, fingerprinter readers, two factor tokens, short codes sent in text messages, etc.
All of these things would be hard to do on a single login screen. It is also hard to do with large cloud services where each user's organization has a different subset of these choices available to them. Lastly you could say, "but I'm just a non-commercial end user, why are they making me do this?" Well, part of it is unifying the code base so that the product works the same for all types of users and part of it is people just blindly emulating the people that are doing this for a very specific reason.
posted by mmascolino at 9:14 AM on May 29, 2016 [17 favorites]
They don't know how the user will be logging in until they know who the user is. Passwords are common now, but there are so many other options (especially for organisations) becoming increasingly common.
There's also a tendency to remember the user's username, so that might not be needed much - taking the user directly to the credential step if they've used the browser before.
posted by BinaryApe at 10:54 AM on May 29, 2016
There's also a tendency to remember the user's username, so that might not be needed much - taking the user directly to the credential step if they've used the browser before.
posted by BinaryApe at 10:54 AM on May 29, 2016
Best answer: Tumblr is also using it to verify the user tracking (scorecard) is working before authenticating the user.
posted by Mitheral at 4:01 PM on May 29, 2016
posted by Mitheral at 4:01 PM on May 29, 2016
Response by poster: I'm actually asking this mostly because I have a couple of tumblr accounts and it has become an incredible pain to login as the second step (password) often ignores what was entered in the first step (email) and reverts to a previously used email.
posted by srboisvert at 6:18 PM on May 29, 2016
posted by srboisvert at 6:18 PM on May 29, 2016
You might be able to fix the 'previous email' issue by making the browser forget that login. For Firefox Options -> Security -> Saved Logins - then delete the old email. Other browsers should have something similar.
posted by quinndexter at 1:30 AM on May 30, 2016 [1 favorite]
posted by quinndexter at 1:30 AM on May 30, 2016 [1 favorite]
This thread is closed to new comments.
posted by Foci for Analysis at 7:59 AM on May 29, 2016 [1 favorite]