The best I’ve seen was yesterday where a website had the log-in button greyed out after the password manager filled my creds in.
So I had to manually click both the email and password field. Just click them. Then it enabled the log-in button.
So someone took their time to write a piece of JS that said “If the user hasn’t focused both fields at least once, no login”. Literally why? Extra code that does nothing useful.
I was hoping passkeys would be the solution to this madness, but it seems to me the entire spec gives too much power to the OS Makers and too little to the users because “mUh AtTtEsTatIoN” so now I don’t know anymore
God I hate those stupid magic links. They’re WAAAAYYY slower than just using my password manager.
AND they kinda contribute to locking you into Big Tech. I sometimes have problems with those stupid links because I don’t have a Gmail account. Somewhere along the stupid chain there’s probably some stupid check that delays or blackholes emails to non-big-tech domains.
Based.
Email is terrible. It’s an unreliable communication system. You cannot depend on sent emails arriving in the recipient’s mailbox—even the spam folder.
People indirectly assume that all emails at least get to their spam folder. They don’t. There are multiple levels of filters that prevent most emails from ever making it that far because most email traffic is bots blasting phishing links, scams, and spam. Nobody wants phishing and scam emails, but the blocks that prevent those are being used by big tech to justify discriminating against small mail servers.
I can’t remember the site, now, but I literally couldn’t log into one this week because the email never arrived.
Also This strange trend to split username and password on to two separate pages, or only showing the password field after confirming the username
- Username
- Password
- MFA
- Do the whole process all over again because the remember this device is on step 2 and it’s impossible to go back
Bonus stage 0: special login URL decided to crap out, and going back to any point in history automatically redirects to the error page that you can’t use to log in, so you need to keep going back and trying to copy the URL before it redirects becausw Firefox interprets pressing “stop” as “do whatever you want idk”
Fucking aws…
You forgot step 2.5: incorrectly identifying stoplights 6 times in a row.
Not that strange. Different users may belong to different groups which may have different authentication backends. The associated authentication method is brought up once a username has been provided.
if your choice of api route directly affects your auth flow something is very wrong.
Yes, but, it also lets them slurp up email addresses. Routing users is legit tho.
You can do that as part of an OAuth workflow. You don’t need to have them on separate pages for that to happen.
And the auto-submitting TOTP entry form where you’re apparently not allowed to make a typo. And obscuring the TOTP number like it’s a password or state secret.
This is because of Enterprise Single Sign On. You can try this for yourself by going to https://gmail.com/ and enter the email of a public person at a large org, for example the CEO of Doordash (
tony@doordash.com). After you enter the email, you get sent to Doordash’s employee portal to authenticate. Based on the email you provide, Gmail has to figure out if you need to provide a password to gmail itself or if the email authenticates another way.It’s not like you can’t add a “Log in with your company’s SSO” button to the form. That works just fine and at least Microsoft does something like that.
Not sure I’d take design inspiration from Microsoft of all places. Also https://login.live.com/ has the same workflow email -> continue -> password. Not sure where you’re seeing Log in with SSO option.
My company uses Entra ID (or whatever they’ve renamed it to this week) and it’s a pretty common sight in our login flow. I think our SharePoint instance does it so it should be something MS does.
Of course it all depends on w how the company configures it.
Ok, I think I get what you’re saying. You mean have a different form input without the password, like how it’s done here: https://eu.app.orcasecurity.io/login? I guess that’s one way to do it, but it’s not really intuitive from a user perspective, since the first thing you see is a password field, and then think you don’t have access because you don’t have a password. This one comes to mind because I have had to tell people to click the tab for the email only field, not email and password.
1Password handles this gracefully
HEY BUT DO YOU WANT TO USE A PASSCODE?? PASSCODE! PASSCODE! USE THE PASSCODE! -_-
Yeah what the hell is up with that one? Seems so sketchy
Passkeys are okay, but your browser and OS want you to use them because you can’t just take a passkey to another platform, you have to create a new one, and it’s a pain in the ass.
It’s a lock-in gimmick latching on to a real useful solution.
Password managers can hold Passkeys now and they’re portable. Bitwarden stores all of mine, use them on any machine.
That’s false. My passkeys sync to my password manager and are available on all my devices
Passkeys are fine. It’s just MTLS but by marketers (if by passcode you mean passkeys. otherwise, what’s a passcode?)
It feels like the factors of authentication discussion misses one important aspect: can the factor be replayed. Passwords can be replayed indefinitely, while the email links you get or the OTP token only work for a short period of time.
I remember it from the bad days when I used LastPass. Suddenly I got a notification that the place had been compromised and I had to suddenly change hundreds of passwords. 90% of them were for sites that didn’t even exist any longer, but sifting through the long, long list to go change passwords was more work than I wanted to do.
Don’t have to do that if I need to use a one-time token via Aegis or email! I do agree, though, that for low risk sites, username/password is totally fine.
The amount of security threat encouragement in these comments is impressive.
Ah but you see it’s one factor of authentication that also conveniently loops in whichever email provider is spying on you
Of course. How would Microslop or Google LLMs snoop on your data then? You guys really make no effort… /s
Just let me use passkeys at this point. The way that people typically use passwords is less secure anyway, why not just make it as simple as possible?
I would love to use my physical Yubikey, but all the websites I’ve seen that allow passkey login always deny both Yubikeys.
I forget. Are passkeys the access method that prevents you from logging in ever again if you lose access to a device?
No? My password manager holds them so they are available everywhere…
Typically, no. You’re thinking of TOTP/Authenticator based 2FA. Those still come with backup codes in case you break the phone that has the TOTP codes warehoused. I always recommend keeping those backup codes saved in the notes of whatever password manager you’re hopefully using.
Passkeys are essentially just one half of a cryptographic key pair (like what you’d use for authenticating SSH without passwords). These allow you to authenticate once using password + 2FA, then use the generated passkey for future sessions. Since these are much more complex than passwords and remove the need to actually remember anything, they are significantly more secure.
There are also some other features that I’m forgetting, and that may not be a perfectly accurate description, but I think you can get the gist.
Passkeys are supposed to be bound to one device and protected by that device’s OS’s secure enclave. If you have a second device you’re supposed to create a second passkey.
That’s why many sites will flat out refuse to let you create a passkey with a desktop browser since a PC-stored passkey doesn’t fit the security model.
Yeah, that’s how I understood it to work, as well. I didn’t mention it because I’ve seen a bunch of different implementations that don’t seem to work that way. I didn’t want to speak too much on that specific point, since I don’t have a very thorough understanding of it.
Only if you use the OS built-in saving.
Most password managers support them at this point, making them portable and secure.
Yes
My email uses greylisting which is where the first email received from a server gets a “busy” response - the idea being that spammers just fire and forget whereas real mailers will retry.
Unfortunately, some senders take so long to resend that it’s timed out. The second time will work though. Unless they have multiple servers. Some have so many servers that you have to do this a multitude of times until you lose the will to login or forget what you were going to do anyway.
I can imagine that the sites want to validate that you still have access to the email associated with the account, and asking people to check their settings is annoying, and they know no one will do it. I can also imagine that sites want to know as much about you as possible, don’t want you to be using burner email addresses, and are probably selling the fact that your email address can still receive email to marketing firms who compile that info.
Annual/routine email verification fills that need, though. For the sites i do support desk for, an email verification link is sent during account creation and then annually. If the email address is not verified then on login the account holder is prompted to either resend the verification link or change it and verify the new email.
Passwords are quite insecure and people write them down on shit and forget them, I vastly prefer it too, but they’re going to die out, probably rather soon, so be prepared.
Hearing this in Spongebob’s voice is amazing!
I weirdly don’t mind the email method. I don’t like copy pasting my passwords because I feel it’s less secure than typing it out.
Now I wouldn’t mind if it was an option.
That’s why you use password managers.
No need, just use Forgot Password for every login. No password manager needed /s
