For example, the site can check if the account has enabled two-factor authentication and, if not, require a CAPTCHA for login. The two-page design also makes it harder for bad actors to create phishing sites with look-alike login pages when there is a page redirect involved.