Since v1.2.1 HestiaCP has been using a 2-step login (asking for username and password on separate webpages). Why? I find it more cumbersome from a UI/UX perspective and it doesn’t work with all password managers … I did some searching and found several discussions about this topic (since Gmail started using it some years ago).
I imagine that 2-step login may work better for services like Google or Yahoo, which have hundreds of millions of practically computer-illiterate users and have to guide them in “baby steps”.
As per the official Google announcement, their reasoning behind this change was to try out methods which would complement new password authentication methods and to help users login from devices with a very small screen:
This new Google account sign-in flow will provide the following advantages:
Preparation for future authentication solutions that complement passwords
Reduced confusion among people who have multiple Google accounts
A better experience for SAML SSO users, such as university students or corporate users that sign in with a different identity provider than Google
This usually happens when the service starts offering other means of logging in, not only the email/password combination. For example services like Okta, or other corporate solutions. And these don’t always need a password to log in. So the flow is as follow:
Let us know who you are
(A) You are a regular customer, so we will present you with a password input
(B) You are a corporate customer, so we will present you with respective service
If you would keep it on one page it would get complicated rather quickly, especially if you would support more then one service. And even if you would support only one, you would end up with two email fields: one with a password and the other one with the corporate solution. It would lead to even more confusion. How is a two-step login better than single-step when you have a password manager? - User Experience Stack Exchange
According to other discussions the 2-step login offers no security advantage, on the contrary it can reduce it by allowing an attacker to test for valid usernames.
The primary reason for separating the username/email entry from the password is Federated Authentication. In many modern web applications, the user signon is handled by the user’s own organization (your company or school for example). The website you are visiting (known as the Service Provider) will keep a list of the organizations that they have established federated authentication with, and the domain(s) used by those organizations. Once you have provided your email address, the service provider will use the domain name to determine the organization, and send you to that organization’s signon system (known as an Identity Provider). You complete the signon at your organization, and then your organization sends you back to the original website, with your identity information in the form of a web cookie most commonly. For more information, I would recommend you research SAML and OpenID Connect, which are the two protocols most commonly used for this.
Passwords are not a requirement for authentication in some cases.
The username generally determines how and what authenticates a user; in a federated login the username will identify the Identity Provider that will authenticate the user. That ID provider might use a password but is not required to; many alternate login flows can happen passively or use other information (e.g. smart card or other hardware token, biometrics, etc.)
Capturing a password in these scenarios either leads to the user entering the (sensitive) data twice (since Hotmail/Google don’t need that info, the ID provider would have to request it a 2nd time) or entering data that is not needed at all.
In 1.1.x we had an log screen that checks for 2FA code when you would enter the username / password. This caused a lot of security issues due to the fact users can discover if a user exists/ doesn’t exists with out checking if a 2FA was required. Also it stressed the server alot with the look ups…
According to other discussions the 2-step login offers no security advantage, on the contrary it can reduce it by allowing an attacker to test for valid usernames.
First step accept any username even if it doesn’t exists… (Unless it is an "invalid format…)