Some time in the last year or two, it has become fashionable to have login flows consist of two individual views: one view where you enter your username/email, and another view for your password.<p>Why the sudden divergence from rendering these within the same form in the same view? Why the extra click? It’s also annoying from the perspective of password managers when not done properly.
Single sign on. Users accessing online services, for example AWS console, from within the corporate environment, may not use passwords. Identity is federated from whatever corporarate directory service the org uses.
Those who are saying SSO should take note that it’s not really necessary to use this pattern for SSO. For example, Microsoft uses the pattern that they will redirect you as soon as your email looks like an SSO email. This has the benefit of allowing a user to enter their password before their username (not doing so being a major pet peeve of mine when copying a password from a password manager).
Twilio did explain this in their blog post<p><a href="https://www.twilio.com/blog/why-username-and-password-on-two-different-pages" rel="nofollow">https://www.twilio.com/blog/why-username-and-password-on-two...</a>
I get the answers, but why not cache the password in the browser for the duration of the redirect?<p>edit: ah I see, sometimes cross domain, that would make the handover potentially dangerous. I thought of just keeping it in js.
While we're on this topic, why have some sites started refusing to prompt me for my password and instead are sending codes to my email. slack.com is a great example. It's like 2FA without the first factor.
I’ve answered this previously here.<p><a href="https://news.ycombinator.com/item?id=24238783" rel="nofollow">https://news.ycombinator.com/item?id=24238783</a><p>In a nutshell it’s to handle federated identities.
It's for enterprise (and other) customers with SSO. No all sites require two steps for this, though. HackerRank lets you leave the password field empty, and based on whether you have SSO enabled it either redirects to that or returns an error.