That’s added friction. Every standard username/password form takes me only one click to enter into my password manager. Your timing based approach also adds uncertainty. What if the second form is different now? What if the first request doesn’t finish in the specified delay time? When dealing with credentials, I don’t want to think about any of those things.
What if the one-page login has a change that requires two tabs to get to the password field, instead of one? This has happened to me on multiple sites.
What if the one-page login is changed to require additional information? At least one airline loyalty program I belong to now requires User Id, Last Name, and Password to be filled in.
Credential-collecting workflows have myriad ways to break the "standard" of USERNAME<tab>PASSWORD<return> that are present regardless of how many pages the workflow spans.
> At least one airline loyalty program I belong to now requires User Id, Last Name, and Password to be filled in.
Ha! Yes AA’s login field requiring both your name and id is annoying but United takes the cake for asking you “secret questions” on every login and you have to pick the answers from a 10-choice drop down.
I didn't remember that it was AA. And ultimately, that's my point in all responses to this article.
I don't know the login process for specific services I use. I don't know what they require or how many pages they are. It takes me less than a minute to configure a login sequence. And it works.
So, to me, none of these login workflows are broken. And the games of "yes, but" that others (not you) are playing is silly, because people are trying to tell me I'll be frustrated doing a thing that has decreased frustration for me for years.
I just spend <1 minute to update the login procedure for that site in my password manager and don't think about it again, continuing to log into all sites the same way, with a hotkey to perform auto-type for that site.
High-pedantry groups like programmers are odd, in that they display this emotional state where they have nothing but complaints about how crappy the world is, yet they seem inwardly smug and happy about how they're clever enough to know better. Is that misery? Is that happiness? I'm in one of those groups, and still, I don't really know for sure.
Was an avid user of kpxc for a year. The auto type feature did not feel secure compared to other pwm's. It requires the username input field to be focused, and if the wrong field is focused (click didn't take?) or otherwise changes mid-type it spills your credentials into the input and sends them. Other managers seem to at least try to validate the entry types.
I do this stuff manually in autohotkey for flows like tabbing to the MFA app window, clicking the right place to copy the code, tabbing back into the app I'm trying to log into, clicking the right space to get to the input fields, and entering the username/password/mfa. As well as for logging onto a website where I need to enter the username, hit tab, hit enter to select "log in with password", then enter the password and hit enter again. Saves a lot of time/dealing with typos in the unnecessarily complex passwords these systems require and it's cool to watch it do it.
If you set a master password for saved logins in Firefox then passwords won't be available with a simple click, and they will be encrypted on disk.
In browsers that use the OS' password storage then they will normally be stored in encrypted form, although the browser integration is seamless so you won't notice the difference.
In both cases, there is a significant security advantage in cases where the data on disk is leaked (say, if someone steals your computer and you don't have full-disk encryption.
Keepassxc auto-type allows you to add a delay between writing the username and writing the password.
Works just fine for me in these "two step" login scenarios.
Edit to clarify:
This is what I am talking about:
https://github.com/keepassxreboot/keepassxc/wiki/Autotype-Cu...