: What are the reasons to have a two step login? (Username on one page, password on the second.) So I've recently been encountering more two step login processes, where I'm required to enter
So I've recently been encountering more two step login processes, where I'm required to enter my username on one page and my password on a second. I really don't like this pattern, as it requires an extra page load just to log in.
But I've been told by a couple of people that it is more secure. How is it more secure? Are there other reasons to inconvenience the user with this?
More posts by @Kevin317
8 Comments
Sorted by latest first Latest Oldest Best
I would say it makes it less secure.
Because you can then know that user123 has an account on the site, and then you can do a brute force on that account.
Standard practice is to never to let people know if the account or password is incorrect .. "you entered an incorrect username or password"
making it a lot harder to brute force.
My Bank found a very good reason to use two-step authentication: They've got 3 methods of authenticating users that I know of:
Crypto card for companies
Crypto card for private accounts (different kind of card!)
Password-only authentication
They use two-step login so they know the kind of account you've got so they can offer some assistance when entering the password. If you need to enter a password they clearly ask for a password. If you need to use your crypto card to generate a unique authentication code they ask for the code and provide a help link specific to your kind of card.
This is kind of a weird case, but if the main site is served unencrypted (for performance reasons probably), but you want users to be able to start the login process from that page, instead of clicking on a "log in" link. Sending your user name unencrypted isn't a big deal, and then you could serve the second part of the login page (the password field) over HTTPS.
I think it's probably not worth it (more work for programmers, more work for users, tiny tiny decrease in processor work load), but some people might think it's worthwhile.
Example: First National does this on their home page.
I could only find this older documentation about it, www.schneier.com/blog/archives/2005/10/us_regulators_r.html. Long story short US Banks and I believe Credit Card companies are required to use two-factor authentication for their website log in forms.
As the post discusses it doesn't really solve the problem, it just makes criminals have one more hoop to jump through.
The only reasoning I can come up with involves preventing automated attacks.
Where the username and password are both accepted on one page, it's relatively simple to create an automated script that will hammer that page with username and password combinations until something gets through - called a "Brute force" attack, for obvious reasons.
Having your username entered on one page and your password entered on another page would make this sort of attack more difficult, but not impossible. It would do a nice job of keeping out simple attackers, and put you ahead of the majority of sites.
While you're not technically more secure than your neighbor, you're not one of the low-hanging fruit anymore.
Accepting username and password on seperate page does not make the application more secure in any way whatsoever. I'm interested in knowing which website(s) did you encounter this on?
The only reason that I've seen the two step login as you describe it be more secure is if the username entered on the first page is matched to some sort of image or phrase that the user chooses when they register. This helps the site verify itself.
If someone were to copy your site to use in a phishing campaign, they wouldn't be able to display the image or phrase. It protects the user when they enter their password.
If you are not pulling up any additional account security items from the first page to the second, then there isn't much point to doing it that way.
Real two factor authentication introduces another level of security by getting users to login with their username and password and then say a code generated on their phone or via a card/code generator (Barclays Bank sent out card readers that generate a use once code based on your card swipe.
Splitting the username and password on to two different pages doesn't add anything in terms of additional security (AFAIK)
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.