I am in the middle of a web application build and a discussion has come up that has prompted us to possibly rethink how we are incorporating the "username". I was wondering if anyone is willing to chime in and give me their thoughts and/or experiences on using an e-mail address as a username instead of the user coming up with a username themselves.
Here are my initial thoughts on using the e-mail address as the username:
One less piece of information for the end-user to remember.
One less piece of information for a malicious user to remember.
Places a bit more difficulty on changing the e-mail address for an existing user, since the username would also have to change. (But it is do-able.)
Some end-users shared e-mail addresses. The thought is that these end-users are mostly elderly couples and newlyweds, but it would be nice to verify this with some sort of statistic.
[your thoughts here]
What kind of a web application are you building? On an e-commerce application that I recently built, I used e-mail address as the username. However, if I was to make a Content Management System, I would certainly use a separate field for the username, such as it is not changeable.
Check some famous sites: amazon.com and paypal.com do not have a username field (they may display your name, but you login using your e-mail)
However, most forums follow the username approach. Obvious reasons? One cannot change his username as all of his posts would seem to be made from a different person.
That is a great point you bring up. This application is going to kind of blur those lines of CMS and e-commerce. For some end-users, content creation will be possible, yet for others, it will not. However, for any generated content that will be tagged with the user identity, a username would probably be the preferred token of choice by the end-user. Thank you for your thoughts.
Does anyone else have any opinions?
You could add a username field, but still keep them logging in with their e-mail address. This is what Xbox Live does, as well as a lot of services that use their login service (Windows Live ID; such as, Fox Fantasy Football), and they usually display something else and even allow you to supply a different e-mail address.
Also, I prefer logging in with my email address because it's easy to remember (and usernames are not the intended secure part of the username/password pair).
Yes there are two camps, ones that seem to work well with username (more anonymous) like social networking sites but many work better with e-mail addresses like e-commerce sites I wish MS had developed the membership system with a LoginMode option (setting in web.config) to handle either username or e-mail as your login id, but then we wouldn't have all these hacks to play with ;-P.
I have read several posts on this subject (some good some bad) and would appreciate if you could contribute any code or links for using an e-mail authentication solution?
Thanks,
Victor
Other than the thoughts I originally expressed, I haven't since had any other concerns. However, as my project hasn't officially launched to the public, I do not have any other "real world" information to offer you yet in regards to end-users. That being said, I am also using DotNetNuke as my code base for this project. Since this framework surrounds itself with using the "username" for most areas, there are quite a few tweaks to be made (customer providers, core code modifications, language pack modifications, etc.). However, we believe that this is the best approach for the application we are going to be providing.
I hope I answered your questions.
Someone asked me to add to what I had said earlier, and while I don't have any real code to show, I can try to explain it a little further.
Every site obviously has a username field (whether it be this site where mine is "pickyh3d" or Xbox Live! where my username is actually my email address) and a password, so in your database you can keep your two text fields (doesn't matter really if you restrict length or not, but the point is they are variable length text values... though I do suggest not limiting the password field and try keeping the username field as large as you can get away with).
Let's say you have this in your DB:
table Users {
username ntext
password text
}
If you want to add an email field, then you simply need to add another text field in your database for email, which is probably already there in most databases anyway.
Now, in my last post I mentioned creating a style where they have a username and an email address, but they log in with the email address--in this case, the username really becomes a nickname, but it's still a username too because it is the user's name for your site. Any site that uses the Live Passport (used to be called .NET Passport, I think--it's been renamed for awhile) system gives a good example of this, as they all require you to log in using your email address and password, but then they require you to create a site username/nickname. The nice thing about this system for sites such as Fox Fantasy Sports (I play Fantasy Football with some friends, which is why this is in my head), it gives you the ability to tie multiple usernames/nicknames (in this case, a team name) to a single user (your email address)--it also gives the ability on each league to allow or show your email address.
Usernames are not the part of the username/password combo meant to be secure, but no one really wants their email address out there for the world, or more importantly, spam bots, to see.
You could convert just about any site using a normal login scheme to this scheme by simply updating the table (or creating another user info table linked to the user's id/primay key) and adding the nickname field, then transfer the existing username to that field and setting the email field to the username field (a two pronged approach--you'd need to do the username to nickname field first, then the email to username field) and slowly require people to enter in email addresses to login with, or if you already have them, start comparing against those rather than the username field. Of course, you'd need to give a lot of warning ahead of time for this change on an existing site.
As hismightiness suggested, it may take some time to go through and change the username part of the codebase to start looking at the nickname instead of the username field (of course, if you just change the login code to check the email field and use the username field as the nickname field, then you couldmaybe avoid some of that altogether), but at the end of the day, I prefer that kind of approach and I think a lot of other people do too.
Thanks, pickyh3d... That is some very valuable insight!
0 comments:
Post a Comment