upvote

points

by fmajid8 hours ago |
comments
upvoteby quirino7 hours ago|
next
[-]
I've had good fun reading about best practices for forms in Adam Silver's blog.

https://adamsilver.io/blog/form-design-from-zero-to-hero-all...

He has posted many new things since. Probably one of the best UX resources on the web.

reply
upvoteby singpolyma35 hours ago|
prev|
next
[-]
> don't have a form with just a login email and force the user to click to enter the password

This is required for any non trivial auth system though. You not know until the user is submitted if that user has a password or is using something else.

reply
upvoteby qup4 hours ago|
parent|
[-]
So what if we don't know? We can find out at the same time.

We're trying to authenticate a pair: user/pass.

reply
upvoteby extra884 hours ago|
parent|
[-]
There is no pair for the enterprise users signing in with their company's SSO or those using Passkey.

I think what some sites do is have a visually hidden, not required password field that a password manager can fill in. If it's not a password-based auth, the flow goes to the next step but if it is, it reveals the password field which may already be filled in.

reply
upvoteby luckylion3 hours ago|
parent|
[-]
Aren't you leaking that there's an account with that email that has a non-password auth method if you treat them differently?
reply
upvoteby extra882 hours ago|
parent|
[-]
How would you avoid that? How would someone exploit that information? The whole point of the other auth means are that they're more secure.
reply
upvoteby 8organicbits1 hours ago|
parent|
[-]
If someone enters a username that doesn't exist in the system then you randomly prompt for password or alternate method, so it looks like an account may exist.

Username enumeration isn't usually considered a vulnerability, but it does make other attacks, like credential stuffing, easier. I.E. you can focus attack resources on usernames that have active accounts.

It's very low on my list of concerns though, usually there's much worse problems when I pentest.

reply
upvoteby xg156 hours ago|
prev|
next
[-]
> Or how many sites that have a form with only one input don't automatically focus on it.

That's one example where the "web stack" expects every single website to implement things manually that were standard in native UI toolkits. Then of course the majority of websites will not deem it a priority or not realize it's a thing to consider at all - and we end up in a situation like this.

reply
upvoteby xg157 hours ago|
prev|
next
[-]
> don't have a form with just a login email and force the user to click to enter the password

I was noticing that this kind of login forms seems to be proliferating, especially on "big tech" sites. (And personally, I also find it annoying)

Always assumed there was some reason why sites are switching to this pattern, e.g. better bot protection. Does anyone know more about this?

reply
upvoteby mpetrovich7 hours ago|
parent|
next
[-]
I suspect they ask for email first in order to determine whether to log you in via SSO vs. require a password.
reply
upvoteby johannes12343219 minutes ago|
parent|
next
[-]
I think it started with somebody like Yahoo!, who said that they that way could show your profile image or something and thus verify to you that this isn't a scam phishing site. I don't remember the complete argument, though.

But yeah, nowadays it's mostly SSO, I assume. Which is still annoying as on the SSO site I have to enter my mail address again (or rather: have my password manager doing it ;) ), which is an inconvenience and where I wonder how much of that is to collect data about companies where employees would like to use the service for having sales reaching out. In many places (like Slack or Zoom) company is picked by domain name (yourcompany.slack.com etc.) and then leading to the right SSO.

reply
upvoteby 9dev6 hours ago|
parent|
prev|
next
[-]
As someone who's built just that, can confirm. If users have SSO configured, or a Passkey, or any other policies apply, you first need to identify the account to be able to determine which options to offer - maybe they don't even have a password in the first place, so displaying the field would cause confusion. As a side effect, this also conveniently allows to check for blocked accounts.
reply
upvoteby xg156 hours ago|
parent|
prev|
[-]
Ah, that would make sense.
reply
upvoteby jurf7 hours ago|
parent|
prev|
[-]
I always assumed it was because of SSO redirects
reply
upvoteby extra883 hours ago|
prev|
next
[-]
> many sites that have a form with only one input don't automatically focus on it.

That's reasonable to do when that form is the reason a page exists but otherwise it's best to not mess with the user's focus.

reply
upvoteby notpushkin7 hours ago|
prev|
[-]
Evil Martians have a nice write-up on the login forms: https://evilmartians.com/chronicles/html-best-practices-for-...
reply