I've noticed more and more web sites are using multiple pages for login.
That is, they have one page where you enter your username and once
submitted then navigates to a second page to enter your password. With
one page to enter your login credentials, and until the site changed the
URL for that login page, the web browser's password manager could be
used to remember your login and pre-fill the input fields for username
and password. With multi-page logins, you get to remember only one of
them in the web browser's password manager. That means you still have
to remember the other one.
Google login (e.g., Gmail), Hotmail/Outlook.com, and other sites that I
visit regularly are now using multi-page logins. Is there something
native within Firefox so I can get it to remember the input fields
across multiple pages for logins, or do I have to use an extension? I
hear, for example, that there is some workaround for LastPass. It does
not actually record multi-page logins but you can maybe have it remember
each page as a record in its database so it will pre-fill each page.
The multi-page logins look to verify a human is using the account
instead of a screen scraper or keylogger. It's just a nuisance to us
users since we still somehow have to enter the login credentials whether
the input fields are on one page or span across a couple of pages. I've
yet to find definitive explanation on how a multi-page login is more
secure than a single-page login. Google started this and Microsoft and
others just copied what Google did. Google started OAUTH and screwed it
so badly in OAUTH2 that the RFC had to change from "protocol" to
"framework". Just because Google decides to do it some way doesn't mean
it is more secure or better for their users. More likely is is better
for Google. They want humans to get past the login instead of bots,
similar to how CAPTCHA got used to do the same. Make it harder for
humans to add not security but qualification of human use.
While multi-page logins may be touted for better security, it means a
hacker doesn't have to provide both login credentials to find out if a
valid e-mail account exists at the domain. They can just enter an
e-mail address and check if they get the next page for password or an
error. Maybe that is considered less work than doing the same within an
SMTP session to begin the handshaking: establish a session, specify the
target username, and check status. There are sites that already let you
check if a username is valid at a domain by doing the SMTP process to
check returned status. With 1-string validation (username), you can
enumerate the accounts there. With 2-string validation, there's no
enumeration because failure doesn't differentiate which string is
invalid for the account or whether or not the account exists. Only if
the 1st page of a multi-login returns no status but instead goes
directly to the 2nd page and thereafter returns a status would the
hacker not know if the username or password was the invalid string;
however, if you're not going to return status on the 1st page then there
was no point in going to a 2-page login versus a one-page login.
Script kiddies can use either the SMTP handshake to validate a username
or the 1st page of a multi-page login to enumerate account names at the
site. The multi-page login just provided an alternate method than
having to use SMTP to find valid e-mail accounts.
Some sites are getting even worse. I've read where some banks have a
3-page login sequence: username (or email address), an image, then
password. If this keeps up, I'll have to drop my pants to let them
measure "my buddy" for identification. See what happens when developers
and programmers have free time? Idle hands are the devil's workshop.
If they're idle, they must not being doing their job so they have to
Intel recently came out with TrueKey to incorporate biometrics into
logins. Since the purpose is to automatically enter your login
credentials (based on a "lock" on the client side based on biometrics),
I suspect their new puppy is also getting nailed by multi-page logins.
Until someone flushes the toilet on this proposed and yet proven
additional security, I'm wondering if there's some trick in Firefox's
Password Manager to get it to work with multi-page logins.