← Back to context

Comment by extra88

2 hours ago

There is no pair for the enterprise users signing in with their company's SSO or those using Passkey.

I think what some sites do is have a visually hidden, not required password field that a password manager can fill in. If it's not a password-based auth, the flow goes to the next step but if it is, it reveals the password field which may already be filled in.

2 comments

extra88

Reply
luckylion  2 hours ago

Aren't you leaking that there's an account with that email that has a non-password auth method if you treat them differently?

  • extra88  3 minutes ago

    How would you avoid that? How would someone exploit that information? The whole point of the other auth means are that they're more secure.