I’ve noticed that a number of websites that I use for work which require me to log in, have gone to a two-page login where you enter your user ID first, then a second page for the password, rather than both user ID and password on the same screen. (And then sometimes a third screen for your two-factor authentication code that they send to your phone.) What’s the logic here - that you’re not sending both pieces of your credentials on the same page so not as easy to steal? I would expect that if the site is using https then your credential info should already be encrypted, so what’s the added benefit of making you enter your credentials on two separate pages?
A lot of websites now have multiple auth providers – consider all the sites that let you log in with Facebook or Google, for instance, but there are less obvious reasons e.g. if multiple applications are merged to share a common entry point. Entering your ID first allows the site to look up which auth provider you’ve opted to use and load a 2nd page that’s specific to that provider.
Ah, that makes perfect sense. So if I’m running a website where the only way you can log in is with the credentials you created when you registered (no Google, no Apple, no Facebook, etc.) then there’s really no need to split the login in two? It’s perfectly acceptable to have user ID and password fields on one page?
Perfectly acceptable, with the caveat that nobody really finds single factor authentication particularly cromulent anymore. So even if a single page accepts your username/password, it would still be best practice to follow up with an authenticator app at best or a SMS code at a minimum (SMS 2FA is rapidly falling out of favor as better alternatives become more available and mainstream).
If I want to login to my work Office account, I put my ID on the first page, which is the same for all Microsoft Office users. The second page, where I put in my password, has my company logo, etc. Authentication only takes place after I have successfully entered my password.
Out of idle curiosity, what are some of these alternatives?
In South Africa, my bank does still offer SMS 2FA, but the preferred way is to enter a username on their website, and then scan a QR code from their mobile app, plus a passcode.
A lot of online web dev resources use various “Authenticator” software, either open or proprietary, that generate a passcode. (Irritatingly, i have three such apps, all named “Authenticatior”, one from Google and one from SecureEnvoy, and one from Lastpass). I have no idea of the algorithms in the background, as the numbers in the passcode appear to be random
And finally, some opt to send a push message to their app on your phone, which is more secure than simple SMS.