Comment by qup
3 hours ago
So what if we don't know? We can find out at the same time.
We're trying to authenticate a pair: user/pass.
3 hours ago
So what if we don't know? We can find out at the same time.
We're trying to authenticate a pair: user/pass.
There is no pair for the enterprise users signing in with their company's SSO or those using Passkey.
I think what some sites do is have a visually hidden, not required password field that a password manager can fill in. If it's not a password-based auth, the flow goes to the next step but if it is, it reveals the password field which may already be filled in.
Aren't you leaking that there's an account with that email that has a non-password auth method if you treat them differently?
How would you avoid that? How would someone exploit that information? The whole point of the other auth means are that they're more secure.
1 reply →