I've noticed this trend now where you are first asked for your username or email first, then the page reloads with the password box separately. This is really annoying if you use a password manager as you sometimes have to open it twice. Where has this come from? Is it safer?
Several large sites, including google/gmail and MS, do this so they can offer separate corporate versions of their cloud products. When you enter your username, it checks whether this is a consumer or corporate username, then the password page you see actually comes from a completely different page.<p>Try going to login.microsoftonline.com which has both a username and a password field and then type "alpha@bristol.ac.uk" into the username field and TAB out (this is not a real username by the way). You'll be redirected to the Bristol version of the sign-in page and get to see a nice picture of their university tower.<p>On gmail, once you've entered your e-mail address, if it's from a computer it recognises (some combination of cookies and IP address) then the password page will show your avatar, if it's from an unknown computer it won't. I guess this provides a very small signal that can be helpful in detecting phishing.
The only justification I've ever seen was places gearing up for multi-factor authentication.
The front login page, asking for your account, tells the backend how you're configured to login (token, password, biometric, whatever). Then the second page is variable depending on your authentication method.
I'm really looking forward to an answer for us, if someone with deep and relevant knowledge is around. There are a couple of possibilities that come to mind:<p>1) Perhaps testing reveals that some users are pushed away by the complexity of being confronted with two fields at the same time, and these users are more likely to successfully login presented with only one field at a time.<p>2) Perhaps there is some actual good security reason for it.<p>3) Perhaps there is some bad security reason for it. First example, lots of sites appear to express a belief that password managers are evil, and that users must be forced by increasingly obstinate means to type each long detailed robust password one single character at a time. Maybe this is simply an extension of that somehow.<p>4) Perhaps a security standard somewhere was devised that for some reason (good or bad) demanded this behavior; then it has been copied across the industry ever since.
I've seen this on some bank websites, that display a user-selected picture after giving them your user ID. I guess that is so the user can verify that they are talking to the legitimate site.
Many sites have started using "magic links" where you can choose to either receive an email with a link that will authenticate you or you can input the password.<p>Both Netflix and Slack does this.
Microsoft appears to do it as well with Office 365 and Azure (and related services).<p>They appear to distinguish two types of accounts ('Live ID' type accounts for personal use, and 'Work' accounts) and it is possible for a single e-mail address to refer to both. When I enter my work email, I get to choose between 'use my work account' (which exists in Azure AD) and 'use my personal account' (which some years ago I registered as Live ID), then get the password prompt.<p>Actually their implementation is a bit annoying, because the password field in some cases is already visible before the choice between personal/work is presented - as soon as you tab out of the username field, you get the choice and you have to type your password afterwards.
Couple of potential reasons: 1) progressive disclosure, getting people invested in filling out simple aspects of a form leads to increased conversions (i.e. giving an email address is easy, whereas creating an account is a different cognitive behavior, but a hypothesis is that it's easier to convert once the user is in the flow). 2) following Google. If there's ever a move to implement other authentication methods, then splitting it into that flow makes sense (if there's not, then it doesn't...)
I've seen it on a lot of websites.<p>It's better if you don't remember which email you used to signup, as it validates it right away without you having to enter the password, so you can make multiple attempts more quickly.<p>It somewhat looks better because after you've entered your email they can show your profile picture.<p>On Chrome at least, autocomplete still works, so you don't have to enter your password manually if you have it saved. I don't know if other browsers (or even Chrome on certain websites) might get confused if username and passwords aren't together.<p>It makes it seem easier to login. Having to fill 1 field twice feels better than having to fill 2 fields once (in my opinion, at least).
Bank of America and Vanguard both used to do this, but within the last year both switched to a single stage login, and both said they were switching to single stage to improve security.
The only place I've seen this done is Google.<p>For them it makes sense. Since a long time ago, they've had a feature where you use your custom authentication service to sign in (think: on site Kerberos instance).<p>For example at school the form would show both email and password fields, but I would enter only my school email into the username and then it would redirect me to to my school's centralized login.<p>So now instead of mistakenly showing the password field sometimes, they only show it when necessary.
We use multiple identity providers for users to sign in to our website and we have 2-stage login form to either redirect a user to the identity provider their organization uses or to use our native login/password authentication.<p>As for Microsoft's login, authenticating users can belong to some Azure Active Directory or Office 365 for Business etc., so Microsoft decides which backend to authenticate users against.
Anecdotal, but we implemented this as we had a large number of existing users who would sign up on our marketing site (when they were actually trying to sign in).<p>We changed it so that they enter their email first, then we detect whether we have that email in our db, and direct them to the appropriate next step (either a sign up form as a new user, or a password field for an existing user).
I've seen it being used so that if the username/email isn't registered, it will load the "Sign Up" process, but if it is, it will instead redirect to the standard login.