Existing identity and security best practices are designed for machines. Obeying them is beyond human abilities.
They require perfect recall and perfect discipline to create and remember strong, unique passwords for dozens of accounts.
We’re supposed to have the superhuman ability to detect phishing, spoofing and social engineering attacks.
Usernames and email addresses are a ephemeral and fragmented representation of identity. Most users have a handful of preferred usernames and 2 or more active email addresses.
Users Need Security – None of us is perfect. Most people use a small number of passwords stored in stupid ways. And even fewer usernames. We blithely click on email and text links.