I saw a good discussion about this. There are actually a few reasons sites are doing it...
1) Security, as described in this issue
2) Third party login integration, e.g. you put in your email and it realizes it is a FB login, or a corporate Okta login
3) Usability. No need for separate login/join/forgot-password links, as it can start the flow of all 3 by knowing what the email address is.
Hmm, while I understand points 2 and 3, I'm not sure I understand point 1 as much. In my mind, I can only see it making man in the middle attacks harder to a small degree. A key-logger for instance would negate the protection, at least the way I'm thinking of it.
I think I previously suggested an on-screen virtual keyboard, which I assumed may help prevent keylogging to some degree if used on the login screen and any other sensitive areas. The issue included a link to some opensource code (which I recall seemed pretty versatile in what you could do) but I have no idea how to search this tracker. There is this simpler version > https://github.com/quintanamo/virtual-keyboard and I'm sure there are others, or maybe the devs could create their own (mobile compatible) version.
"I can only see it making man in the middle attacks harder to a small degree" - a small degree is something. If the information is in different response packets (MITM/captured attack), or different HTML pages (client-side attack), that must be re-aggregated that requires quite a lot more sophistication.
1) Security, as described in this issue
2) Third party login integration, e.g. you put in your email and it realizes it is a FB login, or a corporate Okta login
3) Usability. No need for separate login/join/forgot-password links, as it can start the flow of all 3 by knowing what the email address is.