By Published on

Do we really need usernames?

Maybe you have seen this somewhere, most likely with VPN service providers: they don't create a username for you, all you need to use their service is a unique, random number that serves as your ID and your authentication together.

Why?

The “no‑username, token‑only identity” model is not just a VPN thing. It’s part of a broader shift in authentication design, and it can be used in many other services, as long as the service doesn’t need a persistent, human‑meaningful identity.

It feels strange at first, but it’s not laziness or corner‑cutting. It’s actually a deliberate design choice rooted in privacy, threat‑modeling, and operational efficiency.

1. Usernames create unnecessary personal identifiers

A username is a stable, trackable identity. If a provider wants to minimize what they know about you, they avoid creating one.

A random ID or token:

  • cannot be tied to your name

  • cannot be tied to your email (if they allow anonymous signup)

  • cannot be tied to your other accounts

  • cannot be guessed or brute‑forced

  • is meaningless outside their system

This is a privacy win, not a downgrade.

 

2. Authentication tokens are simpler and safer

Traditional login flow:

  1. Username

  2. Password

  3. Optional 2FA

  4. Server stores hashed credentials

  5. Client must handle login logic

Token‑based flow:

  • The server generates a random secret (like a long API key)

  • The client uses it directly to authenticate

  • No password database

  • No password resets

  • No brute‑force attacks

  • No phishing of credentials

This is closer to how SSH keys, API keys, and private keys work

 

3. It reduces the provider’s legal exposure

If a VPN claims “no logs,” then storing usernames is already a liability.

A random account number:

  • contains no personal data

  • cannot identify a person

  • is easy to delete

  • is easy to rotate

This makes it easier for the provider to prove they store nothing meaningful.

 

4. It lowers support and operational costs

Also the “economies of security” is not a small burden to overcome.

Removing usernames means:

  • no password resets

  • no account recovery

  • no email verification

  • no identity management

  • no customer data to protect

Less data → fewer breaches → lower compliance burden → lower costs.

This is especially attractive for privacy‑focused VPNs that want to avoid GDPR headaches.

 

Is this “good enough” for security?

✔️ For VPN authentication: absolutely.

A long random token or key is:

  • harder to guess than any human password

  • not reused across services

  • not phishable

  • not memorable (which is good)

  • not tied to your identity

Security‑wise, it’s stronger than username/password.

✔️ For privacy: It’s better.

The provider knows less about you, and there’s less to leak.

✔️ For usability: It’s simpler.

You download a config file or paste a token — done.

This is hot new! Or not?

It's not that we haven't seen this already, think of API keys, OAuth tokens, JWTs — all are “random ID = identity” models. No usernames. No passwords. Just a secret.

Same with zero‑knowledge storage services, privacy‑focused email aliases or IoT devices and embedded systems.

But it's good to see this trend growing.