Why don't we use single input authentication?

When signing up for a service, you have a good chance of getting "This name is already in use, choose another" - or something to that effect.

In the system you propose, this would tell you that the access code is in use - great, open a new browser and log in with this access code! You've just hijacked somebody else's account.

You could find any number of existing access codes, just by trying to change your own.

Also, what if you forgot your access code? This can be mitigated if the system knows your e-mail address and can send you a new access code, but then you'd be close to a two-input authentication; you might as well use your e-mail to log in then.


User name is an identifier, a label that indicates which user you are, and identifies which resources belong to you (or refer to you).

Password is an authenticator, a way of proving that you are permitted to assume that user identity.

User names can't be secret, as an information system needs this knowledge in the clear, to label resources and to authorize your use of resources. Passwords should be secret, even to the service and its operators - this is why stored passwords are hashed with a one-way function.

By "resources" above, I'm being deliberately inclusive. For a user login, it may be files and processes; as a database user, you have tables and other database objects; for a web site, it might be your posts and reputation points.


We do use it in some cases.

An example is the share using a link feature of Google documents. The link contains an access key or document ID that is 45 alphanumeric characters long. This is long enough to both ensure uniqueness and make brute-forcing difficult.