almost 5 years ago from David Svezhintsev, Full-stack ninja-unicorn-warrior-princess @ Unfold.co
Have you noticed that Google, and Apple, started to use "Email" and only then "Password" authentication process?
What is the reason for adding a secondary step to the process? To support SSO?
There are a handful of reasons a product team might have for choosing this pattern.
you shouldn't use #1 - your website/app will be exposing who has already signed up
Interesting point, I've never thought of this. Maybe it's less of an issue with companies such as Google, where just about everybody has an account and the address is used as your point of contact.
It appears this is kind of impossible to get around: https://security.stackexchange.com/a/123464/5446
depending on your adversary resources/willing to break your app, no security system is immune - but you can prevent small scale attacks/leaks with simple procedures like this one.
And yet, Google does exactly that.
Enter a an existing address and Google will advance you to the password field. Enter a made up address and Google will inform you that it "Couldn't find your Google Account."
I understand it's a security concern, but I'm not convinced that the risk outweighs the benefits to the user experience.
Your website/app exposes this through the sign up flow anyway, where it prevents users from reusing an email address or username already associated with an account.
Hiding it in the log in flow won't improve security, but it will hurt usability.
Also, (and might not be the case for Google or Apple) but if you work with legacy accounts on legacy systems or just multiple systems, with the email first you can infer what system to use going forward for that account.
This saves the user from the effort of knowing in which system they have to login.
I think the reason is to support other organizations SSO. CMU Alumni uses Google Apps. As soon as I enter my email address in Google login form it takes me to CMU login screen.
We've dealt when building the login experience for Lucidchart, and this was the reason.
yeah, this is why. Atlassian / Gmail do it to redirect you to the correct login screen.
Indeed... breaking the flow helps to handover authentication to a third-party service (IDP) via SAML/OAuth protocols.
I don't know the reason, but I find it very annoying because sometimes it breaks password managers
Indeed it's already hard enough to remember credentials for someone not using a password manager like most people using the internet that are not tech savvy.
On top of this, it's just another step in the process of signing into an account that I don't want. Finding ways to do away with passwords is what people should be advocating for rather than separating an already small and simple process into multiple steps.
I've had to switch logins to this—it was for SSO and other post-email authentication (not for any of the UX simplicity mentioned here). It was the simplest way to tackle a hydra-flow situation bureaucracies tend to require.
1 text field is simpler than 2.
Paypal also did the same thing.
Login to Comment
You'll need to log in before you can leave a comment.
LoginRegister Today
New accounts can leave comments immediately, and gain full permissions after one week.
Register now