views:

1350

answers:

14

I'm creating a web app that requires registration/authentication, and I'm considering using an email address as the sole user id. Here are what I see as the pros and cons (updated with responses):

PROS

  1. One less field to fill out during registration (it would just be email address, password, and verify password). I'm a big fan of minimalistic registration.

  2. An email address is easier to remember. (thanks Mitch, Jeremy)

  3. You don't have to worry about your favorite username being taken already - you're the only one who uses your email address. (thanks TStamper)

CONS

  1. User has more to type every time they log in.

  2. What if a user wants multiple accounts? They'll need another email address. (Do I even want a user to be able to create multiple accounts?)

  3. Easy for a potential attacker to guess (if they know the target's email address, they know the login id). (thanks Vasil)

  4. Users may be tempted to use the same password they use for their email account, which is bad security. (thanks Thomas)

  5. If you change email addresses frequently, it may be difficult to remember which address you used to sign up for a site after a long hiatus. (thanks Software Monkey)

  6. A hacker could spam the registration form and use "email already taken" responses to generate a list of valid emails. (thanks David)

  7. Not everyone has an email address. (thanks Nicholas)

If I went with email as id, I would provide a mechanism to allow it to be changed in the event a user changes address. In this case users would not be posting content to a public site, so a separate username won't be necessary to protect the email addresses (but it is something to consider for other sites).

Another option is to implement OpenID (which is a whole other debate).

This seems to work for Google, but their services are tightly integrated. What have I missed in my analysis? Do you have any recommendations? Does anyone have experiences to share?

FINAL EDIT

Thank you all for your responses. I have decided to use email as an id, but then allow the creation of a username for login purposes after registration. This allows a little flexibility while keeping registration as short as possible. It also prevents problems when a user changes email addresses (they can just log in with their username and update it). I will also be implementing methods to prevent brute-forcing of email addresses out of the registration and login systems (mainly a cool-down period after repeated attempts).

+12  A: 

I think you missed a PRO:

Users are likely to remember their email address

Mitch Wheat
+8  A: 

As a user of websites, I can tell you that I hate memorizing unnecessary usernames. I don't use a unique handle or anything so I can never remember which variation of my name I used that wasn't already taken. I'd much rather type my email address.

Also, I like OpenID.

BC
You're a user of websites? ;)
Chris
+15  A: 

Personally, I prefer just using my email address as a username. It's one less thing to remember, and I never have to worry about my preferred name being already taken.

Just my 2 cents!

Jeremy Kratz
+6  A: 

CONS

  1. When the same password is used for the e-mail account, compromising the one automatically means compromising the other.
Thomas
This is an issue that needs to be elevated. Everyone should use a unique password for their email account.
BC
They should, but they don't. Sad but true.
Thomas
This is not a problem with using this method. It's a problem for the user. So I wouldn't consider it a con.
Cadoo
If your email password is compromised, you're in a whole lot of trouble, and that's your problem, not mine (speaking as an administrator of a site that uses emails for logins).
Chris
This is often true whenever an e-mail is associated with an account, not only when the e-mail is used as login. Most services provide a way to reset the password if you control the e-mail the account was registered with.
Henk
@Henk: you're right. I thought this was a one-way thing, but of course the e-mail address is somewhere in the user's profile information, so compromising the account on the website also means they can get into your e-mail. It's just a little bit less straightforward.
Thomas
+1  A: 

One con might be that if it's an email address the login can be guessed by people and brute force attacks attempted. Which is not really a big issue, since on most sites today the logins are publicly displayed.

The biggest pro is that logins are easier to remember this way.

Vasil
+2  A: 

PRO

People hate having to create a unique name that fits their id and that has not already been taken to register for a site..So this is why the user id as EMAIL ADDRESS is so embraced.

ex:TStamper1930, who actually wants to remember 1930 at the end of my name that I really wanted

TStamper
no...lol it was just an example..im 22.check my profile
TStamper
+2  A: 

CON: If a hacker can try registering random email addresses en masse, he or she will be able to figure out which of those addresses are valid based on which registrations fail. This is a tactic that can be used to put together lists of known valid email addresses, which are a hot commodity on the spam black market.

Although now that I think about it, that's a problem that affects any website which asks for an email address as part of the registration process, regardless of whether or not there's a separate username. But it's still something to think about.

David Zaslavsky
A website should probably be setup to detect and blacklist this kind of malicious attempt.
Cadoo
+2  A: 

CON: If I change my email address, suddenly all my account names are invalid. My name doesn't change, but my email often does. I have occasionally revisited a site after a number of years, and been stuck... what was my email address two years ago???

Software Monkey
+1  A: 

I tend to not prefer pro/con lists, and instead try to think of benefits and challenges.

Challenge:

Some users will be tempted to use their email address from their ISP. Linking to an email alone, may be difficult for the users who forget to update their email in all the web sites they have signed up for before they change ISPs.

Instead:

You should consider allowing a user to provide multiple addresses, as well user-selected id and then let the user decide what they want they wish to do. Perhaps also consider allowing the user to provide an OpenID account.

Zoredache
A: 

A good setup is to require username and email. Allowing the user to login with either email address or username is very user friendly. An added benefit is the user can change their email address. It would also allow multiple accounts for one email.

Cadoo
+1  A: 

Stick to email addresses they are used everywhere, actually most of the major websites use them, they are unique so they save the user from struggling to find a name that's not used by others, also users won't forget their email addresses (in most cases at least :)), which is unlike usernames that they will keep on forgetting if they don't visit your site very often.

You shouldn't be worried about them being too long as all the major browsers (IE, FF .. etc) offer autocomplete to forms which is enabled by default, so you type the first letters in your email and you get a drop down list (ie. autocomplete list) where you just click to enter the whole email, personally I almost never type the email address in full, I always type the first letters then select the email from the autocomplete drop down list. Besides, if you allow users to be remembered (using a Remember Me checkbox and persistent cookies), it will be another reason to not worry about it.

I don't know about your app but usually users having multiple accounts is not desirable in most apps.

Waleed Eissa
+5  A: 

CON: Not everyone has an e-mail address. Consider if your database is ever accessed by an internal application. If you are running a store, people will call up and place an order by phone and refuse to provide an e-mail address. So while having an e-mail address as the default user ID is cool, be sure to allow alternates to get into the system. (Of course, this depends on the context.)

Learned this one the hard way.

Nicholas Piasecki
Very nice points!
strager
Obviously your answer is related to e-commerce websites, for most other websites you usually ask the user to verify or confirm their accounts by sending them a message at their email addresses with a link to activate their account, bottom line an email address is needed anyway
Waleed Eissa
+1  A: 

One setup you may want to consider: Have both a username and an email. The email is used to login and is always kept private, the username is used to identify the user in any public interaction, such as posting a comment. It winds up being slightly more secure as both halves of the user login credentials are kept private, whereas if you use a username for both login and public identification, half of the login is already known.

I definitely agree with you about having minimal registration for most cases, but depending on what you're doing you may want to balance that against added security for your users. Four fields isn't outrageous for registration, (username, email, password, confirm password), and if you're feeling particularly adventurous, you could cut it down to three by dropping the confirm password field, or two by emailing them a password that they can change later.

VirtuosiMedia
A: 

To solve your con item of the email being too long to type in every time. I have implemented the StringScan Ruby library.

require 'strscan'

def signup!(user, &block)

self.email = user[:email] unless user[:email].blank?

str = StringScanner.new(self.email)

str.scan_until(/@/)

str.pre_match

self.login = str.pre_match

etc..

Then just change login method to allow either email or login to match password.

This works just like google or mobileme. A user can choose to just type in their email username (ie. username instead of [email protected].)

Steve