Comment by fmajid
7 hours ago
I'd love best practices around, say, login forms, e.g.:
- use standard input field names password managers recognize - disable autocompletion and autocapitalization on the login field
- if it's an email, use the correct HTML5 input type
- don't have a form with just a login email and force the user to click to enter the password
- follow NIST SP 800-53, e.g. no SMS 2FA and no arbitrary password rotation and composition rules
Or how many sites that have a form with only one input don't automatically focus on it.
I've had good fun reading about best practices for forms in Adam Silver's blog.
https://adamsilver.io/blog/form-design-from-zero-to-hero-all...
He has posted many new things since. Probably one of the best UX resources on the web.
> don't have a form with just a login email and force the user to click to enter the password
This is required for any non trivial auth system though. You not know until the user is submitted if that user has a password or is using something else.
So what if we don't know? We can find out at the same time.
We're trying to authenticate a pair: user/pass.
There is no pair for the enterprise users signing in with their company's SSO or those using Passkey.
I think what some sites do is have a visually hidden, not required password field that a password manager can fill in. If it's not a password-based auth, the flow goes to the next step but if it is, it reveals the password field which may already be filled in.
1 reply →
> Or how many sites that have a form with only one input don't automatically focus on it.
That's one example where the "web stack" expects every single website to implement things manually that were standard in native UI toolkits. Then of course the majority of websites will not deem it a priority or not realize it's a thing to consider at all - and we end up in a situation like this.
> don't have a form with just a login email and force the user to click to enter the password
I was noticing that this kind of login forms seems to be proliferating, especially on "big tech" sites. (And personally, I also find it annoying)
Always assumed there was some reason why sites are switching to this pattern, e.g. better bot protection. Does anyone know more about this?
I suspect they ask for email first in order to determine whether to log you in via SSO vs. require a password.
As someone who's built just that, can confirm. If users have SSO configured, or a Passkey, or any other policies apply, you first need to identify the account to be able to determine which options to offer - maybe they don't even have a password in the first place, so displaying the field would cause confusion. As a side effect, this also conveniently allows to check for blocked accounts.
Ah, that would make sense.
I always assumed it was because of SSO redirects
> many sites that have a form with only one input don't automatically focus on it.
That's reasonable to do when that form is the reason a page exists but otherwise it's best to not mess with the user's focus.
Evil Martians have a nice write-up on the login forms: https://evilmartians.com/chronicles/html-best-practices-for-...