Yes, that should generally work. I'm sure someone will decide to make a page requiring a CAPTCHA in between entering the username & the password to create an exception to this case though. It's the sort of insecure-by-design nonsense banks love.