this post was submitted on 02 Oct 2023
320 points (97.3% liked)

Ask Lemmy

27036 readers
1690 users here now

A Fediverse community for open-ended, thought provoking questions

Please don't post about US Politics. If you need to do this, try !politicaldiscussion@lemmy.world


Rules: (interactive)


1) Be nice and; have funDoxxing, trolling, sealioning, racism, and toxicity are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them


2) All posts must end with a '?'This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?


3) No spamPlease do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.


4) NSFW is okay, within reasonJust remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either !asklemmyafterdark@lemmy.world or !asklemmynsfw@lemmynsfw.com. NSFW comments should be restricted to posts tagged [NSFW].


5) This is not a support community.
It is not a place for 'how do I?', type questions. If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email info@lemmy.world. For other questions check our partnered communities list, or use the search function.


Reminder: The terms of service apply here too.

Partnered Communities:

Tech Support

No Stupid Questions

You Should Know

Reddit

Jokes

Ask Ouija


Logo design credit goes to: tubbadu


founded 1 year ago
MODERATORS
 

Back in the old times, on the sites I log in regularly, my browser filled in both username and password. I clicked "Log in" once, and I was set to go.

But no more. Now it's all first a username, then a password. From what I saw, Apple started this many years ago, but now this bother really spread. And it's not like I can just double-click on the same screen area, oh no. Animations make sure that I have to wait several hundred milliseconds before the password field is there, and depending on the site, I even have to select from my browser, which login I want to use, twice!

Why, oh why?

All my screens are really big enough to display 2 text fields. What are arguments for this behavior? I don't see any.

you are viewing a single comment's thread
view the rest of the comments
[–] bus_factor@lemmy.world 162 points 1 year ago* (last edited 1 year ago) (4 children)

A lot of services these days support multiple forms of authentication. Did you sign up with a separate password? Did you use Google or Facebook auth? Is this a corporate account where auth is via their SSO? They don't even know whether they should ask for your password until they know who you are.

[–] redballooon@lemm.ee 44 points 1 year ago (1 children)

That’s the best explanation I heard so far.

[–] residentmarchant@lemmy.world 41 points 1 year ago (1 children)

As someone who just built one of these, that is the exact reason we did it.

It would be cool if users just remembered which service they used to sign in, but they often don't, so this is the next best thing. Tell us your email, we look up which service you used, then send you to that service to complete the login.

[–] tja@sh.itjust.works 15 points 1 year ago (2 children)

Pro tip: leave the password field on the site but make it invisible. So when I am using my password manager to fill in the username, the password field will be filled out too. And I don't have to use my password manager twice for one login.

[–] attaxia@lemmy.world 9 points 1 year ago (2 children)

1Password actually is really good at handling these two step login screens, for me it always autofills the password correctly

[–] Plagiatus@lemmy.world 9 points 1 year ago (1 children)

So far Bitwarden has been doing great for me, too.

[–] NightAuthor@lemmy.world 3 points 1 year ago (1 children)

Are you using the auto-fill on page load? I heard that is a security risk.

For me I have to <> <>, <> <>

To login to these forms, and on mobile this means unlocking my vault twice (which happens to be a bit annoying bc my Face ID is broken)

[–] Plagiatus@lemmy.world 1 points 1 year ago

I do not use auto fill, no.

But at least you should be able to unlock your vault once and then keep it unlocked for a few minutes so you don't need to double up. Maybe try the browser extension that you can get for Firefox (both desktop and mobile).

[–] MetaSynapse@kbin.social 1 points 1 year ago

1Password is great, I just switched to it recently after the LastPass kerfuffle and the UX is lightyears better

[–] Dianoga@lemm.ee 17 points 1 year ago

This is the answer. I've had to build it a handful of times and it always feels bad.

[–] boatswain@infosec.pub 3 points 1 year ago (1 children)

So exposing information about users (how they log in) without authenticating that you're someone authorized to have that information?

The better way to do this is to just have "log in with Google" or whatever buttons.

[–] bus_factor@lemmy.world 1 points 1 year ago

As I mentioned elsewhere in the thread, most users don't remember what they used when they created the account, particularly if it's something they don't use often. It's also cumbersome to have to input that, especially if you bundle that with an optional password field.

That's not to say you don't have a point about leaking that information. Personally I'd be more concerned about leaking the fact that I have an account at all. If this is a concern for you, you are likely not inclined to use the likes of Google Auth or Facebook Auth. You'd be better off using a unique password for each service, store them in some sort of password manager, and rely on the default behavior treating "local account" and "no account" the same in terms of showing you the password field.

Maybe that's not your preferred behavior, but it does allow you to keep that data private while simultaneously being easier to use for the SSO users.

[–] blackbrook@mander.xyz 1 points 1 year ago (1 children)

And it's impossible to provide for all these options on one screen, with either a password field that some users ignore or some kind of option selection that either hides or shows it?

[–] bus_factor@lemmy.world 11 points 1 year ago

If you put that much trust in users you are in for a rough time. You'd get tons of "forgot password" requests because people expect to fill in every password field they're presented with. If you ask them what mode of auth they used, they don't know. Heck, I consider myself fairly on top of things, and I don't always remember how I authenticated to some site I rarely visit.

Most users would rather wait for an extra page load than deal with any of the above.