this post was submitted on 13 Mar 2026
1187 points (98.1% liked)

Programmer Humor

30364 readers
739 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 2 years ago
MODERATORS
Feyter@programming.dev
anzo@programming.dev
BurningTurtle@programming.dev
pylapp@programming.dev
1187
I love password based login (lemmy.world)
submitted 1 day ago by bdjegifjdvw@lemmy.world to c/programmer_humor@programming.dev
168 comments fedilink hide all child comments
 
you are viewing a single comment's thread
view the rest of the comments
[–] MaggiWuerze@feddit.org 267 points 1 day ago (7 children)

Also This strange trend to split username and password on to two separate pages, or only showing the password field after confirming the username

[–] helvetpuli@sopuli.xyz 4 points 15 hours ago

That's there to support routing to an identity provider for SAML2 SSO.

[–] neidu3@sh.itjust.works 85 points 1 day ago* (last edited 1 day ago) (3 children)

Not that strange. Different users may belong to different groups which may have different authentication backends. The associated authentication method is brought up once a username has been provided.

[–] lime@feddit.nu 50 points 1 day ago

if your choice of api route directly affects your auth flow something is very wrong.

[–] atomicbocks@sh.itjust.works 25 points 1 day ago

You can do that as part of an OAuth workflow. You don’t need to have them on separate pages for that to happen.

[–] paraphrand@lemmy.world 8 points 1 day ago

Yes, but, it also lets them slurp up email addresses. Routing users is legit tho.

[–] IcedRaktajino@startrek.website 52 points 1 day ago* (last edited 1 day ago)

And the auto-submitting TOTP entry form where you're apparently not allowed to make a typo. And obscuring the TOTP number like it's a password or state secret.

[–] bamboo@lemmy.blahaj.zone 32 points 1 day ago (1 children)

This is because of Enterprise Single Sign On. You can try this for yourself by going to https://gmail.com/ and enter the email of a public person at a large org, for example the CEO of Doordash (tony@doordash.com). After you enter the email, you get sent to Doordash's employee portal to authenticate. Based on the email you provide, Gmail has to figure out if you need to provide a password to gmail itself or if the email authenticates another way.

[–] Jesus_666@lemmy.world 16 points 1 day ago (2 children)

It's not like you can't add a "Log in with your company's SSO" button to the form. That works just fine and at least Microsoft does something like that.

[–] helvetpuli@sopuli.xyz 1 points 15 hours ago

No it doesn't work fine, because it confuses people, and provides the potential for working-around SSO.

[–] bamboo@lemmy.blahaj.zone 10 points 1 day ago (2 children)

Not sure I'd take design inspiration from Microsoft of all places. Also https://login.live.com/ has the same workflow email -> continue -> password. Not sure where you're seeing Log in with SSO option.

[–] Gumbyyy@lemmy.world 4 points 1 day ago (2 children)

I see the Login with SSO option all over the place. Of course, that assumes the users actually understand what that means, and they know whether or not they need to click it.

[–] tja@sh.itjust.works 3 points 19 hours ago

And remembers which one they choose when registering.

[–] mimavox@piefed.social 1 points 1 day ago

Zoom has it, for example. 

[–] Jesus_666@lemmy.world 1 points 1 day ago* (last edited 1 day ago) (1 children)

My company uses Entra ID (or whatever they've renamed it to this week) and it's a pretty common sight in our login flow. I think our SharePoint instance does it so it should be something MS does.

Of course it all depends on w how the company configures it.

[–] bamboo@lemmy.blahaj.zone 2 points 1 day ago (1 children)

Ok, I think I get what you're saying. You mean have a different form input without the password, like how it's done here: https://eu.app.orcasecurity.io/login? I guess that's one way to do it, but it's not really intuitive from a user perspective, since the first thing you see is a password field, and then think you don't have access because you don't have a password. This one comes to mind because I have had to tell people to click the tab for the email only field, not email and password.

[–] Jesus_666@lemmy.world 1 points 1 day ago

I also often see implementations where there's a first step where you have to select how to log in. It's an extra click but very clear (and usually one of the options is some form of SSO where that one click fully logs you in if you already have a session open).

[–] ricecake@sh.itjust.works 6 points 1 day ago

That ones because users like choice. They need to look up who you are to know how you've chosen to authenticate. At least, that's how it started. Some could be doing it because the big kids are, but that's why the big kids do.
And they support choice because businesses want to use their login infrastructure and refuse to share. So you enter "user@businessOrUniversity.com.edu" and it forwards you to your institutional login.

[–] mimavox@piefed.social 2 points 1 day ago

Came here to say that! For the love of God, stop with this nonsense!

[–] kibiz0r@midwest.social 5 points 1 day ago

1Password handles this gracefully