Log in with username

Introducing Log in with username

Today, we’re excited to introduce an important passwordless single-factor authentication (SFA) option that can be used in multiple verticals.

Log in with username authentication solutions are ideal for use cases where your customers want to quickly log in without a password. Logins can’t get any easier than this, making this the most desired product to date – surpassing even account recovery by NFT.

With Stytch, developers can implement Log in with username into their authentication flows in seconds rather than minutes.

How Log in with username works

When integrated, a user proves knowledge of their username granting access to their account.

It works by proving ownership of a username because the user knows their username.

Once the user supplies a username as evidence of their identity, they are either logged into an existing account or given a new one.

Log in with username vs. Log in with Password

At Stytch, we’re committed to killing the password. We’ve released products to combat this dangerous concept before, but this is our passwordless take on an old classic.

We’ve determined that a secret, complicated password isn’t needed. Why use password when username do trick? Exactly.

How to integrate

To log in a user with their username, integrate with these easy steps:

  1. Ask the user for their username.
  2. Hit /v1/users/authenticate with the username.
  3. Log the user in.

If you have an existing project, migrate with these easy steps:

  1. Delete the password column from your users table.

Security concerns

Here we’ll cover several recommendations for how to deal with your users’ usernames.

First, we recommend complicated, hard-to-read usernames. A common pattern we’ve been seeing is to require the following:

  • 1 uppercase letter
  • 1 lowercase letter
  • 1 symbol
  • 1 emoji (we recommend the 🤬 emoji because it counts toward the symbol requirement)
  • 3 numbers that mean a lot to you

If your users are struggling to come up with good usernames, consider adding a username strength check. Even better, create usernames for them, e.g., using a secure random string generator. Remember to run the username strength check after randomizing to prevent usernames like “username”, “root”, “MyspaceTom”, or “DozensOfOvals.”

Second, we’ve seen success requiring users to rotate their usernames periodically, maybe thrice a year. We’re not sure if this is a proven method.

Third, remind your users to not share their usernames with anyone they don’t trust online.

Closing remarks

As you’ve seen, the Log in with username product creates a quick and painless way to get access to a username’s account.

If this product doesn’t seem safe enough for you, remember that half of your users are already sharing their passwords across many of their different online accounts, with loved ones, people who ask nicely, or their ex-co-worker Hunter the 2nd. If you still require stronger security, consider upgrading to multi-factor authentication (MFA) with one of our future products such as Log in with your Favorite Digit.