Identifying users by a username/password combination is one of the most common authentication methods.

The username is used to identify which user is trying to sign in. In some applications, it's an actual username selected by the user. In other systems, it's the email address used to sign up. It has to be a unique value because the system uses it to identify the user.

This method can be used both in stateful and stateless authentication schemes.


A username/password combination is a well-established pattern.

All users will be familiar with this method avoiding confusion when users are signing up.

Web frameworks like Laravel, Django, and Rails have built-in scaffolding for this method, ensuring a head start when developing applications.


The biggest drawback of using this authentication method is password fatigue. It's is a phenomenon where users are overwhelmed by the number of passwords they have to remember. It can be avoided by using oAuth or single sign-on (SSO).

Many users reuse passwords or variations of passwords across applications. If there is a data leak in any of these applications, it's a security risk.

When to use it

Almost all applications support some username/password authentication. It's a robust authentication method to use unless there is a specific reason to use another method.

When not to use it

Some domains have a prominent oAuth provider in that space that could be suitable to use instead of the username/password method. A good example is the 'programming' space where many users already have a Github, Gitlab, or Bitbucket account.

If the users of the application are teams or employees of larger organisations it might be more suitable to implement SSO. Many companies prefer to give employees access to tools using a single set of credentials that can easily be reset or revoked.

Authentication scaffolding

Starter kits for Laravel, Vue and React.