Why Google & Apple started to use "Email, then Password" authentication process?

almost 2 years ago from David Svezhintsev, Full-stack ninja-unicorn-warrior-princess @ Favored Crew

  • Carlos Cabral, almost 2 years ago

    you shouldn't use #1 - your website/app will be exposing who has already signed up

    14 points
    • Scott Liang, almost 2 years ago

      Interesting point, I've never thought of this. Maybe it's less of an issue with companies such as Google, where just about everybody has an account and the address is used as your point of contact.

      0 points
    • Jimmy HookerJimmy Hooker, almost 2 years ago

      It appears this is kind of impossible to get around: https://security.stackexchange.com/a/123464/5446

      2 points
      • Carlos Cabral, almost 2 years ago

        depending on your adversary resources/willing to break your app, no security system is immune - but you can prevent small scale attacks/leaks with simple procedures like this one.

        1 point
    • Harper Lieblich, almost 2 years ago

      And yet, Google does exactly that.

      Enter a an existing address and Google will advance you to the password field. Enter a made up address and Google will inform you that it "Couldn't find your Google Account."

      I understand it's a security concern, but I'm not convinced that the risk outweighs the benefits to the user experience.

      2 points
    • Jake Lazaroff, almost 2 years ago

      Your website/app exposes this through the sign up flow anyway, where it prevents users from reusing an email address or username already associated with an account.

      Hiding it in the log in flow won't improve security, but it will hurt usability.

      2 points