What are the benefits to a two-page login system for a webapp?

From a pure functional perspective, the 2 page system sometimes allows for home realm discovery (where the user has accounts in more than one system)

For example, Microsoft has something called the Microsoft Account and the Organizational Account. The username feature allows HRD to redirect to the correct authenticating server. This feature is live and active for all Azure, O365, and related sites.

For clarification:

  • LiveID, or Passport is now known as the Microsoft Account

  • Azure Active Directory, Office 365, WAAD, and possibly ADFS all use "Organizational Accounts"

It is possible to have an account in the form of [email protected] at one or both directories. You can test for the presence of an account in one or the other directory by checking the JSON available here

 https://login.microsoftonline.com/[email protected] 

or

 http://odc.officeapps.live.com/odc/emailhrd/getidp?hm=0&emailAddress=USER%COMPANY.com

I've seen this used in systems like SiteKey that some banks use on websites. The idea here is that once the user has identified themselves on page one by entering a username, the application the provides some information (in the case of SiteKey a picture and phrase chosen by the user during enrollment), which is intended to assure the user that they are on the correct site before they enter their password.

Whether this has actual security benefits against standard attackers is debatable (i.e. it could be possible for attackers to act as a Man-in-the-middle and relay the username on to the site, retrieve the image and show this to the user)


One other benefit is that users can very easily find a login form if you have a username entry field on the front page, among all the ads and links and other content. Then when they submit their username, the password usually gets entered on a very bare-bones page with only a password field.

I always look for the lock icon in general, but it makes me feel just a little less safe if I'm entering a password alongside a bunch of ad scripts and other potential attack surfaces. So splitting the login like that could conceivably add a little security by reducing the possible attack surface for grabbing a password. At the very least it gives that perception.

Of course the better solution might just be to provide a separate dedicated login page that asks for both username and password and just have a big LOGIN button on the homepage that takes you there.