26

Why Google & Apple started to use "Email, then Password" authentication process?

over 1 year ago from , Full-stack ninja-unicorn-warrior-princess @ Favored Crew

Have you noticed that Google, and Apple, started to use "Email" and only then "Password" authentication process?

What is the reason for adding a secondary step to the process? To support SSO?

Google Email goes first

17 comments

  • Harper Lieblich, over 1 year ago

    There are a handful of reasons a product team might have for choosing this pattern.

    1. You can identify if a user already has an account. If not, you can re-rout them to a Signup screen.
    2. When users are having trouble signing in, it's often hard to know if they're using the wrong email address or the wrong password. This pattern allows the user to solve one incorrect entry at a time.
    3. If you already likely know who the user is, you can skip the email field and present them with only the password field.
    31 points
    • Carlos Cabral, over 1 year ago

      you shouldn't use #1 - your website/app will be exposing who has already signed up

      14 points
      • Scott Liang, over 1 year ago

        Interesting point, I've never thought of this. Maybe it's less of an issue with companies such as Google, where just about everybody has an account and the address is used as your point of contact.

        0 points
      • Jimmy HookerJimmy Hooker, over 1 year ago

        It appears this is kind of impossible to get around: https://security.stackexchange.com/a/123464/5446

        2 points
        • Carlos Cabral, over 1 year ago

          depending on your adversary resources/willing to break your app, no security system is immune - but you can prevent small scale attacks/leaks with simple procedures like this one.

          1 point
      • Harper Lieblich, over 1 year ago

        And yet, Google does exactly that.

        Enter a an existing address and Google will advance you to the password field. Enter a made up address and Google will inform you that it "Couldn't find your Google Account."

        I understand it's a security concern, but I'm not convinced that the risk outweighs the benefits to the user experience.

        2 points
      • Jake Lazaroff, over 1 year ago

        Your website/app exposes this through the sign up flow anyway, where it prevents users from reusing an email address or username already associated with an account.

        Hiding it in the log in flow won't improve security, but it will hurt usability.

        2 points
    • Daniel MarquesDaniel Marques, over 1 year ago

      Also, (and might not be the case for Google or Apple) but if you work with legacy accounts on legacy systems or just multiple systems, with the email first you can infer what system to use going forward for that account.

      This saves the user from the effort of knowing in which system they have to login.

      0 points
  • Sanchit Gupta, over 1 year ago

    I think the reason is to support other organizations SSO. CMU Alumni uses Google Apps. As soon as I enter my email address in Google login form it takes me to CMU login screen.

    10 points
  • Michael G, over 1 year ago

    I don't know the reason, but I find it very annoying because sometimes it breaks password managers

    5 points
    • Ryan Hicks, over 1 year ago

      Indeed it's already hard enough to remember credentials for someone not using a password manager like most people using the internet that are not tech savvy.

      On top of this, it's just another step in the process of signing into an account that I don't want. Finding ways to do away with passwords is what people should be advocating for rather than separating an already small and simple process into multiple steps.

      1 point
  • Andrew C, over 1 year ago

    I've had to switch logins to this—it was for SSO and other post-email authentication (not for any of the UX simplicity mentioned here). It was the simplest way to tackle a hydra-flow situation bureaucracies tend to require.

    3 points
  • Parvez SParvez S, over 1 year ago

    Paypal also did the same thing.

    1 point
  • Account deleted over 1 year ago

    1 text field is simpler than 2.

    1 point