found a question on stack exchange about it, it apparently is good because it decouples parts of the log in process and reduces brute force attempts, but also it makes auto fill incredibly tedious so meh
@wolfie I think it's mostly because some people will be logging in via Single Sign-On according to their account settings, and therefore won't be prompted for a password.
In the early days of this practice, it really messed with password managers, but now they seem to handle it better. I'm not sure on which end things improved.
I don't think it meaningfully helps against brute force attempts, though.
@varx I'm not sure what you mean by single sign on? On any site I've ever seen this I have to enter the email/username and then it loads the password box after you submit
@wolfie Single Sign-On (SSO) is when you delegate authentication to some third party. A classic example of this is "Sign in with Facebook". The site sends you off to Facebook, then Facebook authenticates you and redirects back with a token indicating and vouching for your identity.
But there's another variation where you give your identity first, and *then* the SSO flow kicks off. This is common for corporations and universities and looks like this: Try to go to GMail; Google asks for your email address; Google sees that you entered firstname.lastname@example.org and that the Example Corporation has a special sign-in flow; Google redirects to Okta or OneLogin or some other SSO Identity Provider (IdP); the IdP redirects back vouching for your identity; you finally get to your mail.
The "only email first" pattern (partially) exists to support this -- it has to check your email address to know whether you'll even be signing in with a password.
@wolfie The real fun is that you can have a whole chain of identity providers, where Corporate Internal App delegates to Corporate Identity Provider which delegates to Google which delegates to Okta or some other awful sequence like that. (I can't think of a real example at the moment, but I've seen one.)
@wolfie You're totally right, by the way, that it's a security flaw to reveal whether an email address is registered with the site. But there are enough good reasons to do it from a usability perspective that some sites will just accept the risk. 🤷
@varx ah, thanks for explaining, I've only ever seen the SSO process be triggered by specifically clicking the "sign in with X service* button on a page that also has a username and password box rather than typing the email and triggering it so I wouldn't have associated that, the hide the password type of login has mostly happened to me on sites that afaik didn't have SSO
@wolfie I've also seen it on some sites that I'm _pretty_ sure don't use SSO, like credit unions, but financial institutions also tend to do cargo cult security sooooo... 🤷
A silly instance of Mastodon for queer folk and non-queer folk alike. Let's be friends!