Why Google & Apple started to use "Email, then Password" authentication process?

over 4 years ago from David Svezhintsev, Full-stack ninja-unicorn-warrior-princess @ Unfold.co

  • Harper Lieblich, over 4 years ago

    There are a handful of reasons a product team might have for choosing this pattern.

    1. You can identify if a user already has an account. If not, you can re-rout them to a Signup screen.
    2. When users are having trouble signing in, it's often hard to know if they're using the wrong email address or the wrong password. This pattern allows the user to solve one incorrect entry at a time.
    3. If you already likely know who the user is, you can skip the email field and present them with only the password field.
    31 points
    • Carlos Cabral, over 4 years ago

      you shouldn't use #1 - your website/app will be exposing who has already signed up

      14 points
      • Scott Liang, over 4 years ago

        Interesting point, I've never thought of this. Maybe it's less of an issue with companies such as Google, where just about everybody has an account and the address is used as your point of contact.

        0 points
      • Jimmy HookerJimmy Hooker, over 4 years ago

        It appears this is kind of impossible to get around: https://security.stackexchange.com/a/123464/5446

        2 points
        • Carlos Cabral, over 4 years ago

          depending on your adversary resources/willing to break your app, no security system is immune - but you can prevent small scale attacks/leaks with simple procedures like this one.

          1 point
      • Harper Lieblich, over 4 years ago

        And yet, Google does exactly that.

        Enter a an existing address and Google will advance you to the password field. Enter a made up address and Google will inform you that it "Couldn't find your Google Account."

        I understand it's a security concern, but I'm not convinced that the risk outweighs the benefits to the user experience.

        2 points
      • Jake Lazaroff, over 4 years ago

        Your website/app exposes this through the sign up flow anyway, where it prevents users from reusing an email address or username already associated with an account.

        Hiding it in the log in flow won't improve security, but it will hurt usability.

        2 points
    • Daniel MarquesDaniel Marques, over 4 years ago

      Also, (and might not be the case for Google or Apple) but if you work with legacy accounts on legacy systems or just multiple systems, with the email first you can infer what system to use going forward for that account.

      This saves the user from the effort of knowing in which system they have to login.

      0 points