Log-in using Email or Username?

Should users log in to my website using…

[INDENT]1.) Email
2.) Username
3.) Either
[/INDENT]

The way I have things currently, a user logs in using Email/Password, but once they are logged in, they are identified by Username. That way, other users would never know your email.

This seems okay to me, but when I think about it, it seems like most websites I visit use Username/Password to log in?! :-/

Thoughts?

Sincerely,

Debbie

P.S. To be honest security is more of a driver to me than “usability”…

Assuming that you’re not using an SSL certificate, for security, I’d say use the username. Either way, without an SSL cert you are effectively broadcasting the username/email/password in the clear, which can potentially be intercepted.

Also, keep in mind that folks might want to change their email address at some point.

Wrong assumption. (Why would anyone do a log in script without using HTTPS?!)

Also, keep in mind that folks might want to change their email address at some point.

I have a unique index on “email” - and another one on “username” - but I still allow people to change their e-mail address.

What I was expecting someone to say is, “It is too much of a hassle to have to type in an entire e-mail address to log in. Using a Username is typically shorter, and thus perceived as easier.”

For now Email/Password - via HTTPS - is how you log in. I just figured I’d ask, because maybe in v3.0 it would be better to use Username/Password, or offer both ways as valid authentication methods?

Sincerely,

Debbie

Many sites don’t use SSL certs, especially forums and website commenting systems. For example, sitepoint doesn’t have SSL enabled on the forums.

Typically, any sites handling email, personal information, or financial information have SSL certs installed.

What I was expecting someone to say is, “It is too much of a hassle to have to type in an entire e-mail address to log in. Using a Username is typically shorter, and thus perceived as easier.”

A valid reason. Plus, longer usernames means there’s a greater potential for typos, which might lead to lock-outs and password resets.

For now Email/Password - via HTTPS - is how you log in. I just figured I’d ask, because maybe in v3.0 it would be better to use Username/Password, or offer both ways as valid authentication methods?

Using both means there are two potential avenues for attack.

Is there any compelling reason to switch from Email to Username for authentication?

I would argue Email is easier because everyone knows their Email Address - unless you have numerous ones.

Because the Internet has become so E-mail centric in so many ways, Email just seems like a good unique identifier, plus an easier way for people to log in. (I think maybe 10-15 years ago, using a Username may have been more compelling…)

At any rate, unless someone can give me a solid reason to NOT use Email, then I think my authentication system is okay as-is.

Thanks,

Debbie

Emails are becoming more and more common as identifications for logging in. A lot of sites give people the choice to use one or the other. Twitter allows you to choose both, Amazon and Facebook make you use email address, SP uses username (though that’s because it’s a vB format). So it just becomes a matter of preference.

I just would argue to ensure that you allow them to create a username, and that is the identifiable point for your site - otherwise you’ll have made your site a prime email harvesting point, which will make it very difficult to get users.

Do you agree with ForceFlow that allowing people to log in using either an Email or Username is a security weakness?

(I think the more choices and flexibility you offer the better - to a point.)

I just would argue to ensure that you allow them to create a username, and that is the identifiable point for your site - otherwise you’ll have made your site a prime email harvesting point, which will make it very difficult to get users.

As mentioned above, people register and log in with an Email/Password, but when they are logged in, they are identified purely by Username. (So unless my database get’s hacked, there is no way to ever know other user’s Emails.)

Sincerely,

Debbie

Yes, but his point is if you use email, it should be under https, not straight http. The examples I pointed to all fall under those guidelines.

Otherwise, someone could put a simple packet sniffer and catch unencrypted email addresses.

So if you want them to enter email address, you should use https (SSL). If you don’t want to use ssl, then use a username login system.

I read what he said a different way. I thought he was saying that if I used Email for the log in and didn’t use Username once they are logged in, then hackers could easily gather people’s Emails by searching the site.

I will always use HTTPS/SSL for anything dealing with a User’s Acount (e.g. Log-In, Profile, Private Messaging, Preferences, etc.)

But back to the security issue, come to think of it, if you used Username and you identified people by Username - as SP does - then to hack into someone’s account, all you need to do is guess the password?! (By using Email to log in, you’d have to already know or correctly guess both a valid Email and the corresponding Password, so that makes using Email safer since it is not public knowledge like Username would be…)

Debbie

I believe that ForceFlow is quite correct, logically at the very least, that more options for identifiers will increase the probability of one of those valid data being known by people who should not know it.

My perspective of log-in systems is cautious; perhaps extremely so, but with some justification. I do not like to see any system that accepts a publicly viewable user name (yes, Sitepoint, this includes you) and I am not much more keen on an e-mail address. I use an otherwise undisclosed e-mail address for all sign-up systems, but most people do not.

Look at the BBC for a slightly better than average example. People can comment below some content, so their user name is visible; but this public nickname can be different from the private ID that one uses to sign in. Unfortunately, it partly undoes this good (for careless users anyway) by also accepting an e-mail address. As I mentioned, most people are not as careful as me, so you can bet that passwords are reused to some extent and e-mail addresses are bandied about freely.

The best option that you can offer is a private sign-in ID; the next best is an e-mail address, which at least has a chance to be private if people so wish.

Possibly.

My perspective of log-in systems is cautious; perhaps extremely so, but with some justification. I do not like to see any system that accepts a publicly viewable user name (yes, Sitepoint, this includes you) and I am not much more keen on an e-mail address. I use an otherwise undisclosed e-mail address for all sign-up systems, but most people do not.

Ditto.

Look at the BBC for a slightly better than average example. People can comment below some content, so their user name is visible; but this public nickname can be different from the private ID that one uses to sign in. Unfortunately, it partly undoes this good (for careless users anyway) by also accepting an e-mail address. As I mentioned, most people are not as careful as me, so you can bet that passwords are reused to some extent and e-mail addresses are bandied about freely.

But I feel I am offering the same approach as the BBC…

You sign up with your Email/Password which are never disclosed. (And I agree with your "Do not use your main e-mail for such trivia.)

Then you can choose a Username - which really is the same as the BBC’s “Nickname”. On my site, this, of course doesn’t have to be identifiable back to the user, just unique in the system.

If I ever did allow people to log in via Email or Username, then I would logically have to add a “Nickname” as well, so that - in theory - the Email and Username remain private, or at least in the context of the website.

For now, I think just sticking to Email/Password is the most practical approach.

Good comments!! :tup:

Sincerely,

Debbie