74

Companies like Google and Microsoft use identifier-first screens: where you provide your identifier (like an email) before providing the password.

Why is this done, is this somehow more secure?

I'm setting up a login with Auth0 and identifier-first is one of the options; should I use it?

Tobi Akinyemi
  • 675
  • 8
    It is poor security practice. The attacker should not be able to tell whether he has used an invalid identifier or an invalid password for a valid identifier. – user207421 May 10 '21 at 00:41
  • 33
    @user207421 Typically these systems will forward purely based on domain and won't (can't!) even check if the identifier exists. You could type in @example.com and it'd work the same way. Also, arguably, trying to prevent username enumeration with vague error messages results in loss in UX for a questionable gain in security (especially if you have a public registration page!). – Bob May 10 '21 at 03:39
  • 4
    How would a system identify which user logs in without an identifier? A whole bunch of users might all use "SECURE123" as their password... – Kilian Foth May 10 '21 at 07:14
  • 31
    @user207421 It's impossible to prevent this in systems where anyone can do self-signup and have to choose username that's not already claimed by somebody else. So please stop making your login page less user friendly for no reason at all. – user11153 May 10 '21 at 08:28
  • 9
    @KilianFoth: S-E-C-U-R-E-1-2-3 -- that's amazing! That's the same password I use on my luggage! – Greg Burghardt May 10 '21 at 12:21
  • 4
    @GregBurghardt Truth is stranger than fiction – StingyJack May 10 '21 at 15:15
  • 1
    @KilianFoth He's talking about a page that asks only for username instead of a page that asks for username AND password. The question is should he use two pages for login or one page – slebetman May 11 '21 at 08:07
  • 1
    Since I can't answer due to this.... Scraping and protection against it also works. Brute-force and dictionary attacks are still common and even with captchas, so what can you do to at least slightly lower the chance of getting your users hacked? Split that one API call sending data to a backend into 2 (or more) API calls, slow them down eventually causing login page to wait 1-2s or up to 5s with a fancy spinner even as direct API call. User thinks it's doing something, script-kiddo will be slowed down. Win-Win! – KeyWeeUsr May 11 '21 at 17:26
  • @slebetman Well, that answer is obvious. What if the authentication used for that account doesn't use a password? What if, for example, the device is trusted, it uses a separate hardware authentication device, or something else entirely? – David Schwartz May 12 '21 at 20:36
  • @DavidSchwartz I didn't ask any question so I have no idea what you are talking about. Killian did not know what identifier-first means. He thought the OP was asking should a login screen ask for username/passowrd or just password. I clarified for him that the OP is asking if he should ask username in one page and password in a different page (identifier-first) or ask for username and password in one single page. That is the summary of this entire question. Now, IF you have an answer for the OP (which your comment suggest) then write it as an answer below: – slebetman May 14 '21 at 15:11

4 Answers4

95

This is common with federated identity systems where a service authenticates users from many identity providers.

Your email address is used to look up which identity provider can authenticate you. This could be a work, school, or personal account. Upon entering your work email, you would be redirected to a URL from your workplace where you enter your credentials before being redirected back to the service. This is also how services allow you to log in via Facebook, Google, and other popular social media networks.

Which solution you choose as a service provider depends on your needs. Your will need to evaluate each type and weigh the benefits and drawbacks. No system is perfect. You will need to learn how they work and what their vulnerabilities are.

Greg Burghardt
  • 37,083
  • 2
    What if the email is registered with multiple services - for example I use the same email for gmail/outloook – Tobi Akinyemi May 09 '21 at 15:06
  • 3
    Upon signing up with your service the user decides where they will authenticate themselves. Your service needs to track this decision. – Greg Burghardt May 09 '21 at 15:10
  • 5
    @TobiAkinyemi: and in the case there is an ambiguity, provide the user with their options and let them choose which identity provider they want to authenticate with. – Greg Burghardt May 09 '21 at 15:47
  • 2
    @GregBurghardt You mean for new account creation, right? Because you either know from the account, or don't due to lack of account. In the latter case, just reproducibly always redirecting to the same provider would secure knowledge of account existence. – Deduplicator May 09 '21 at 18:56
  • 1
    @Deduplicator: when creating a new account you need to present the user with the identity providers your service knows and trusts. This could include more than just a URL and likely includes API tokens, legal agreements, etc. Your service might need to be registered at the identity provider in order for them to authenticate their user and send them back to your service. It requires a mutual level of trust between service provider, identity provider, and the end user. – Greg Burghardt May 09 '21 at 19:57
  • 17
    That's exactly what happens when I log in to any Microsoft service with my company mail address: I get this prompt and then need to decide whether I log in with my "personal account" (aka Microsoft Passport, for those old enough to remember) or my "work or school account" (Office 365, in my case). This is not only during registration, this is also during login. I have, for example, two completely separate accounts in Microsoft Azure, both with the same mail address. – Heinzi May 10 '21 at 06:46
  • 1
    @TobiAkinyemi, using the same email address across multiple services is fine -- you'd start on the GMail page, so it is clear which service you want to log on to, and your organization is told to send you back to GMail with the token after authenticating you. – Simon Richter May 10 '21 at 09:27
  • 1
    Does this explain why the Apple ID login screen does this? Are there multiple services behind this? – Barmar May 10 '21 at 14:26
  • 2
    @Barmar - Apple is probably both an identity provider and service provider (not to make things even more confusing...) – Greg Burghardt May 10 '21 at 14:32
  • 1
    @Barmar possibly behind the scenes, with the amalgamation of iTools, MobileMe, iTunes and iCloud accounts. Apple also has education accounts, like Microsoft, and Apple is an OAuth provider (sign in with Apple button, like Google, Microsoft, etc) - that may factor into it. – Tim May 10 '21 at 21:40
  • 1
    @Tim Maybe, but I thought the whole idea is that there's a single AppleID that all the services use. So the password prompt shouldn't depend on which service the login goes to. – Barmar May 10 '21 at 21:42
  • 1
    @TobiAkinyemi One concrete example of what Greg is talking about is when logging in to AWS console. Because a single person may have multiple AWS accounts managing multiple things it uses company/domain first, identity & password second. Actually, it uses account-type first (root account or domain based), then ask for domain (are you logging in for Stackoverflow or Dell or Wallmart) then username & password. This way the same email/username can be used to login to 4 or 5 completely different accounts – slebetman May 11 '21 at 08:12
  • oh! I always thought it was some kind of attack prevention/mitigation technique. But that makes a lot of sense. – ikegami May 12 '21 at 17:47
53

The purpose of this is to redirect to the account's identity provider. However the use case is not selecting between personal login providers such as Facebook or Google. It's to support organisational logins which have organisation-specific user identifiers.

Personal login flows are selected with a dedicated button. The first image in the docs has a "continue with Facebook" button that chooses Facebook as the login provider.

Auth0 Universal Login Identifier First authentication flow diagram

What if the email is registered with multiple services - for example I use the same email for gmail/outloook?

This scenario is handled by manual selection. Auto-detection applies on a domain level rather than an account level. From the home Realm Discovery section of the Auth0 docs:

When a user enters their email, Auth0 will check if the domain matches one from a registered Enterprise Connection. If there's a match, Auth0 redirects the user to the enterprise identity provider’s login page. If the domain doesn't match, the user is prompted to enter their password. This is also known as Home Realm Discovery (HRD).

Entering joe.bloggs@foo-corp.com redirects to Foo Corp's instance because the foo-corp.com domain is registered.

Security Considerations

Information leakage

Redirecting to a given domain leaks that the domain is registered with your Auth0 service.

In the Foo Corp example we know that Foo Corp exists however Foo Corp is responsible for not leaking information about the presence or absence of the Joe Bloggs' account.

Credential Storage

These redirects support organisations using a product such as Microsoft's Azure AD without being required to give their users' credentials to Microsoft. They organisation can store their credentials in their own instance whilst still allowing access to external services such as Office 365.

Wes Toleman
  • 972
7

I think this is used for when some logins may be forwarded to a seperate auth service. in this case you don't want to see the password at all.

eg, say you allow the user to login to your site with google/facebook/email you can detect which one they want to use from the identifier, but you dont want to see their google password

https://auth0.com/docs/universal-login/identifier-first

In your google example, some users may have corporate "Google Workspace" accounts where the auth is done by the corporations Active Directory domain or whatever

Ewan
  • 75,506
7

There might be more than one way to authenticate yourself to a service, especially at their scale.

For example, Google lets you use your phone instead of a password, so that means that they'll want to show that screen instead of a password prompt. Microsoft do too, and also provide options for using physical hardware keys like smart cards, fingerprint sensors, etc as the first factor authentication.

If you're using a managed corporate or education account, you might log in using SSO (single sign-on), which means you'll use one account to log in to all your services --- in this case they'll want to redirect you to that portal after you enter an email address, although often it is Google / Microsoft that provide the single sign-on account.

I'm sure there are also some other special cases which cause these screens to be different as well, prehaps when people are locked out of their accounts, or custom interactions designed for specific devices or companies.

From a security perspective, it doesn't really change too much. It does show what account names are available (e.g. if you enter in a bad email address into the Google login form it won't take you to the next step, so rather than a more vauge "invalid email or password" message you're getting "invalid email"), but you get this information already by trying to sign up with an email address that's already in use on the sign up form, so there's really no way around this on a public system like theirs anyway.

toastrackengima
  • 207