Usernames and passwords. Computer (and smartphone) users have been encouraged to use their email address as their username for quite a few years now. This is a shame. Because a username can be a full-fledged participant in the credentials used to thwart bad-guys almost as effectively as passwords can. But it can only be effective if it is variable. If you use the same string of characters for every username of every site you have access to, then its effectiveness is diminished considerably. This is especially true if the username is also your email address.
Let me explain. The traditional single factor authentication requires two components, a username and a password. Actually, it requires three components, I’ll explain that in a moment. Traditionally the username has been something you are. For the most part, this does not change and is easy to remember. Traditionally it has been a variation on the name that a human user has (e.g., “ckent”), or sometimes, a name they might have wished they had, (e.g., “Superman”). But either way, its variability per user has traditionally been extremely low. Sometimes no greater than one per person, across all websites. This is easy to understand, but it wastes a resource that could be used in the battle against the bad-guys.
The password, on the other hand, has been something you have. For each website, or more accurately, for each set of credentials, you are encouraged to “have a different thing.” The “thing” that you have for website A is not supposed to be the same as the “thing” you have for website B. That is, you are advised to have a different password for each website. This is a good thing. However, it is not 100% necessary when multiple possible usernames are used. It is the combination of username and password, taken together, which should be unique for each website you use. This does, of course, require you to remember both your username and password for each website you engage with. And it undermines the concept of “what you are.”
With the advent of Password Managers on the market, however, the need for using the same username for each website is diminished[i]. A Password Manager is as capable of remembering, and submitting to a website, a unique combination of characters for a username, as it is for a password. As a matter of fact, the distinction between them, username and password, is swiftly disappearing and the submission of a single unique string for security purposes is becoming more common. This string can be a string on digits, which you have sent to you and you repeat, or more often now a days, activated by the answering of a yes or no question (e.g. “was that really you who requested access” or something of that nature.
The third component, by the way, is the website URL (universal resource locator). The combination of a username and password is just a string of characters unless you (or the bad-guy) know the web address (i.e., URL) of the website to which it grants access to the entity, the “who” that is attempting the access. Once granted access, this entity becomes the Principle in all interactions within the website. Its ability to do harm or good is determined by its authorized privileges, on that website. The Principle does not take it (the authorized privileges) with them, as a backpack traveling from site to site in cyber space. Rather he picks them up just inside the door as he enters
I use the term Principle in this case because by the time access is granted neither the software nor the hardware any longer know[ii] who the entity (now Principle) is or was, nor even if it was a “who” in a 6BI sense. A Principle is an authenticated user, and is supposed to be you, or your authorized agent. It could still be a “robo-user” and will increasingly be so, but the assumption is that it is a proxy for a human user, acting on their behalf.
[i] The need for always using the same username, your email address for example, is diminished, but still encouraged.
[ii] Please excuse the ethnocentrically empowered reference.
Birkdale Computing 