Hacker News new | past | comments | ask | show | jobs | submit
qup | on: The Website Specification
So what if we don't know? We can find out at the same time.

We're trying to authenticate a pair: user/pass.

extra88 | parent
There is no pair for the enterprise users signing in with their company's SSO or those using Passkey.

I think what some sites do is have a visually hidden, not required password field that a password manager can fill in. If it's not a password-based auth, the flow goes to the next step but if it is, it reveals the password field which may already be filled in.

luckylion | root | parent
Aren't you leaking that there's an account with that email that has a non-password auth method if you treat them differently?
extra88 | root | parent
How would you avoid that? How would someone exploit that information? The whole point of the other auth means are that they're more secure.
loading story #48346904