this post was submitted on 01 Jul 2023
90 points (97.9% liked)

Web Development

3434 readers
1 users here now

Welcome to the web development community! This is a place to post, discuss, get help about, etc. anything related to web development

What is web development?

Web development is the process of creating websites or web applications

Rules/Guidelines

Related Communities

Wormhole

Some webdev blogsNot sure what to post in here? Want some web development related things to read?

Heres a couple blogs that have web development related content

CreditsIcon base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 1 year ago
MODERATORS
 

I see this more and more lately: go to log in to some site, and they only show the username field. Enter username, click Submit, then a password field appears. Enter password, click Submit again, and then we're logged in.

This makes using a password manager super annoying, because I have to trigger the autofill twice.

Is there some security-related reason more sites are doing this? Is it an anti-bot thing? I'm just really curious, because it seems so pointless on its face, but it seems to be spreading.

you are viewing a single comment's thread
view the rest of the comments
[–] xubu@infosec.pub 15 points 1 year ago (6 children)

Paginated login

Microsoft enabled it in ADFS on WS 2019. I know there are plenty other places it's used, but It's the example I'm most familiar with.

There can be a security element to it depending on how the server handles paginated auth as it separates the password field away from the user ID. You can also interject the second factor first before the password to protect brute forcing.

But the larger reason I've read is that it's easier for end users to use. Here's MS talking about it with ADFS.

"Instead of a long form to fill out, a new flow takes you through the sign-in experience step-by-step. Our research shows that with this approach, our customers have more successful sign-ins."

https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-paginated-sign-in

Whether this is true or not is debatable. I'd love to see passwords die out. I doubt I'll see that in my lifetime though.

[–] 39Y523R@lemmy.blahaj.zone 2 points 1 year ago (1 children)

I'd love to see passwords die out.

Me too, public key based authentication would be so much better, and safer too. But that would require intelligent end users, which is impossible.

How would you replace it instead? Biometric?

[–] dan@upvote.au 3 points 1 year ago

How would you replace it instead? Biometric?

Biometric or certificate on a physical device (e.g. Yubikey) auth via Webauthn/FIDO2 is becoming more popular.

load more comments (4 replies)