Best IT Recipes

What are the pros and cons of using an email address as a user ID?

I am creating a web application that requires registration / authentication, and I consider using an email address as the only user ID. Here is what I see as pros and cons (updated with answers):

PROFI

  • Another field to fill in during registration (it will only be an email address, password and password confirmation). I am a big fan of minimalist posting.

  • Email address is easier to remember. (thanks to Mitch , Jeremy )

  • You don’t need to worry that your favorite username is already accepted - you are the only one using your email address. (thanks TStamper )

Cons

  • The user has more to enter each time they log in.

  • What if a user wants multiple accounts? They will need a different email address. (I even want the user to be able to create multiple accounts?)

  • It’s easy for a potential attacker to guess (if they know the destination email address, they know the login ID). (thanks Vasil )

  • Users may be tempted to use the same password that they use for their email account, which is poor security. (thanks Thomas )

  • If you frequently change email addresses, it can be difficult to remember which address you used to register on the site after a long break. (thanks Software Monkey )

  • A hacker can spam the registration form and use the answers "already sent letters" to create a list of valid letters. (thanks David )

  • Not everyone has an email address. (thanks Nicholas )

If I went with the email address as id, I would provide a mechanism to allow it to change if the user changes the address. In this case, users will not post content on a public site, so a separate username is not needed to protect email addresses (but this is something that needs to be considered for other sites).

Another option is to implement OpenID (this is another discussion).

This seems to work for Google, but their services are tightly integrated. What did I miss in my analysis? Do you have any recommendations? Does anyone have any experience to share?

FINAL IMAGE

Thank you all for your answers. I decided to use email as an identifier, but then allow the creation of a username to log in after registration. This allows you to get a little flexibility, while keeping the registration as short as possible. It also prevents problems when a user changes email addresses (they can simply log in with their username and update it). I will also introduce methods to prevent coarse forcing email addresses from registration and logon systems (mainly, the cooling period after repeated attempts).

+67
authentication email registration
Mar 15 '09 at 2:45
source share
15 answers

I prefer not to use pro / con lists, but instead try to think about the benefits and problems.

Problem:

Some users will be tempted to use their email address with their ISP. Interacting with one email can be difficult for users who forgot to update their email on all the sites they subscribed to before they change their Internet providers.

Instead

You should consider allowing the user to provide multiple addresses, as well as an identifier selected by the user, and then allowing the user to decide what they want to do. Perhaps also consider allowing the user to provide an OpenID account.

+4
Mar 15 '09 at 3:20
source share

Personally, I prefer to use my email address as the username. This is another thing to keep in mind, and I never have to worry about my preferred name being taken.

Only my 2 cents!

+29
Mar 15 '09 at 2:49
source share

I think you missed PRO:

Users probably remember their email address; and since the email addresses are unique, they will never have to worry about their preferred username already accepted.

+23
Mar 15 '09 at 2:48
source share

As a user of websites, I can say that I hate remembering unnecessary usernames. I do not use a unique descriptor or anything else, so I can never remember which change in my name I used that has not yet been accepted. I would rather print my email address.

Also, I like OpenID.

+11
Mar 15 '09 at 2:48
source share

Cons

  1. When the same password is used for an email account, compromising it automatically means compromising another.
+11
Mar 15 '09 at 2:49
source share

CON: Not everyone has an email address. Consider whether access to your database will be an internal application. If you use the store, people will call and place an order by phone and refuse to provide an email address. Therefore, having the email address as the default user ID, be sure to include alternatives in the system. (Of course, it depends on the context.)

Learned this hard way.

+11
Mar 15 '09 at 4:20
source share

One setting you might consider: provide a username and email address. E-mail is used to enter the system and always remains confidential, the username is used to identify the user in any public interaction, for example, to publish a comment. This is a bit safer since both halves of the user credentials remain private, whereas if you use the username for login and the common identifier, half of the username is already known.

I definitely agree with you that you have a minimal registration in most cases, but depending on what you are doing, you may need to balance this with the added security for your users. Four fields are not outrageous for registration (username, email address, password, confirmation password), and if you feel particularly entrepreneurial, you can reduce it to three by resetting the password confirmation field or two by sending them an email password that they may change later.

+3
Mar 17 '09 at 17:38
source share

PRO

People do not like to create a unique name that matches their identifier, and which has not yet been accepted for registration on the site. That is why the user ID as E-mail ADDRESS is so hugged.

ex : TStamper1930, which actually wants to remember 1930 at the end of my name, what I really wanted

+2
Mar 15 '09 at 2:53
source share

CON: If an attacker can try to register random email addresses in bulk, he or she will be able to figure out which of these addresses is valid, based on which registrations are not performed. This is a tactic that can be used to compile lists of known valid email addresses that are hot commodities in the black spam market.

Although now, when I think about it, this is a problem that affects any website that asks for an email address as part of the registration process, regardless of whether it has a separate username. But this still needs to be considered.

+2
Mar 15 '09 at 3:13
source share

CON: If I change my email address, suddenly all my account names are invalid. My name does not change, but my email often does. I reviewed the site several times after several years and got stuck ... what was my email address two years ago ???

+2
Mar 15 '09 at 3:15
source share

Stick to the email addresses that they use everywhere, in fact, most major websites use them, they are unique, so they save the user from trying to find a name that is not used by others, and users will not forget their email addresses (in most cases at least :)), which, unlike usernames, that they will continue to forget if they do not visit your site very often.

You should not worry that they are too long, since all major browsers (IE, FF, etc.) offer auto-completion of forms that are enabled by default, so you enter the first letters in your letter and you get (i.e. e. autocomplete list), where you simply click to enter the entire email address, personally I almost never type the email address completely, I always type the first letters and select a message from the autocomplete drop-down list. In addition, if you allow users to remember (using the Remember Me checkbox and persistent cookies), this will be another reason not to worry about it.

I don’t know about your application, but usually users with multiple accounts are not desirable in most applications.

+2
Mar 15 '09 at 3:59
source share

One of them may be that if it is an email address, then the login can be guessed by people, and attempts of brute force are tried. This is not a very big problem, as on most sites today users are publicly displayed.

The biggest professional is that logins are easier to remember this way.

+1
Mar 15 '09 at 2:50
source share

A good setup is the requirement of a username and email. Allowing a user to log in with any email address or username is very convenient. An added benefit is that the user can change their email address. It will also allow multiple accounts for a single message.

+1
Mar 15 '09 at 3:45
source share

To decide which item in your message is too long to enter each time. I implemented the Ruby StringScan library.

require 'strscan' def signup!(user, &block) self.email = user[:email] unless user[:email].blank? str = StringScanner.new(self.email) str.scan_until(/@/) str.pre_match self.login = str.pre_match

etc..

Then simply change the login method to allow either email or login to match the password.

This works the same as google or mobileme. The user can choose to simply enter their email username (i.e. username instead of username@gmail.com.)

+1
Jan 30 '10 at 14:35
source share

If you don’t need to force users to log into your application with Facebook or some other social network (most people do not seem to care), you can simply use your email on the social network as your user ID 'when linking to other tables / documents (MySQL, Mongo, etc.).

I noticed that the bonus to using logins on social networks is that all security was affected by the mentioned social network, including not allowing two users to have the same email address or username in their database, thereby relieving you from the hassle to code for all of this. These are just my personal preferences.

0
May 2 '16 at 17:18
source share


More articles:


All Articles