tags:

views:

603

answers:

10

You know most login forms use user & pass.

And some go the email & pass. What are the pros and cons of them? Here is what I have thought of.

PROS of email

  • one less thing to remember (as opposed to remembering a username too)
  • Should always be unique per user
  • One less thing you need to ask them to register

CONS

  • If they change email - could the potentially try and use their new email to access the site?
  • For forget password - and it says 'please enter your email' and they have abandoned their old email - they could potentially be stuck.

I do believe this is programming related because ease of use of a web application is something important that shouldn't be overlooked.

+13  A: 

Another thing to remember is that if other users can also see the "username", you shouldn't use mail addresses due to privacy issues.

Tal Pressman
+1 thanks - useful info
alex
Not always. The username should never be the public facing name. That goes for email as username or just usernames. Seperate the username (or email) from the public "presence" name.
Phillip
+1  A: 

Email (pro) - lessens account-creation spamming because you could confirm their account by sending an email to them.

JasonV
You can require an email address to link to the account and verify the account by that email address. This does not change if you have a username for authentication. I recommend it though.
TheJacobTaylor
Practically every site you sign up for will ask for an email address, regardless of whether it's used as the username or not.
DisgruntledGoat
+2  A: 

Email makes a good username as long as you provide a means for changing the email address. LinkedIn provides this as you create an account with an email as the username. They also allow you (once logged in) to change the primary email address which then changes your username to be that email address.

As long as you do something like this then you should be all set.

Andrew Hare
In the event that something happens and the email address cannot be recovered for lost passwords, I would recommend having some form of email or phone communication for account recovery. In my oppinion, you should have this anyway, regardless of if you use usernames or email as usernames. Use account demographics to confirm the user is who they say they are.
Phillip
+3  A: 

OpenID and OAuth .....It just appears better. Even less users to manage for them and it makes migrating in one place easier on a change.

Yes, you have to be careful. I would insist that the backup email address (an additional profile field) is different than the email address they are using for the user. Many systems also have some other fields that then can use to authenticate themselves if things get really hairy. At this point though, it would frequently require a tech support call.

Depending on the type of system, using email may be a security vulnerability. I know your email address, I don't know what you might put into a username prompt. If being able to easily guess a username is an issue, then I would not use email address.

Jacob

TheJacobTaylor
+1  A: 

Con: When you require a username to be shared among applications such as web site and email, it can raise security concerns. For example, whoever has access to the usernames in the web site will also have access to the email addresses if the email is use for the username. Usually this is not a problem, but it could be. It is generally a good policy to keep usernames and passwords separate between applications unless there is a common login procedure, or unless security is not important.

xpda
Generally if they have access to the username that will probably have access to the email address as well because access to the username usually requires some database accessibility. If they have access to the database they have access to more then just the username. At least thats my oppinion.
Phillip
A: 

When you use Email addresses, it's easier for a member to change their username, for example when pwng0d69 wants to be known as Jon Skeet. However for each site that asks for my email address, personally I cringe at yet another source of potential spam.

Use Open ID :)

Moak
A: 

CON: It's one less insulating layer between the user and spammers. If, somehow, somebody got a full list of usernames, they would be able to spam all your users. But if the site uses usernames, with emails as a secondary field, this isn't a concern.

Unless they get all user data, of course, but that's a much bigger problem anyways.

Cinder6
A: 

PRO: It seems that some services are considering making e-mail the standard for identifying a specific user across the net:

e.g. http://www.techcrunch.com/2009/08/14/google-points-at-webfinger-your-gmail-address-could-soon-be-your-id/

CON: This hasn't happened yet, and there are lots of other options such as OpenAuth and OpenID that are around now and have some support (you also have login using Facebook spreading).

Just tailor your choice for identity to whatever the target audience of your app will be.

nicoslepicos
A: 

We used Arena Solutions 'Product Lifecycle Management' software before a change in company ownership mandated a change. It was one of those deals where all your sensitive company data is hosted somewhere offshore and could be accessed by browser from anywhere.

Arena PLM was touted as highly secure, but the (default) behaviour was to require an email address as a username. It allowed strong passwords with an expiry date, but when my password expired I was told I could choose another one, or just continue to use the old one!

I think the security claims were based on the use of SSH for data transfers, but it seemed to me a determined person could log in because

  • The usernames were publically available company email addresses, and
  • There was plenty of time to guess a password because a lazy user wouldn't choose a new one.

It means, of course, that the use and renewal of strong passwords must be enforced.

pavium
A: 

I've done this for b2b apps and its a real pain when a user leaves a client company an someone else is using the old deactivated email address as a login and purposely not changing it to avoid getting email from us.

We end up with password-reset email that bounces and support calls to fix things.

sal