Less is more? Let email addresses be usernames

  • generate and assign a numerical account ID (e.g.: 024171) — user must now remember this and needs it to login, get support etc
  • generate and assign a alphanumeric account ID (e.g: user2810 or <firstname><lastname><random number>) — user must remember this and needs it to login, get support etc
  • let the user pick an alphanumeric username (which now has to be checked for existing usernames) — they still need to remember this
  • something else — ???
Hooray, another login window

The drawing board

Does your system require a username at all?

Could they legitimately share the account?

What if they forget?

Don’t make assumptions around password managers

Could the same user legitimately require more than one account?

  • online banking — no
  • social media — probably shouldn’t (multiple individual accounts, but may have personal account plus organisational ones)
  • email —usually don’t require multiple accounts within the same domain (user1@domain.tld and user@domain.tld are the same human)
  • productivity suites (G-Suite, Office 365) — maybe, probably shouldn’t unless administrative roles
  • work/task management (Atlassian, Trello.com) — maybe, probably shouldn’t unless administrative roles

Could the user have more than one account but they should be kept separated?

What other information do you collect?

Do you do account-level action tracking/audit?

The answer on this occasion

Reflective questions

But email addresses are personal data?!

Email address as username, isn’t that dangerous?

Isn’t this password re-use?

Doesn’t this mean an attacker has one less thing to find out?

What if an attacker (etc) gets a hold of their email account?

What if the user uses a temporary/disposable/one-time email account for sign-up?

What if the user uses an email mutation they forget?

What if the user uses a shared email account?

What if the user loses access to / changes their email account?

What if someone else inherits that email account?

It would’ve been nice to have some stats

--

--

--

The thin blue line between technology and everything else. joelgsamuel.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

My journey and recipe: How I passed the OSCP Certification

The Karamba Product Security Blog: Remote Code Execution

{UPDATE} センター Hack Free Resources Generator

My Comments on Malware and Spams in Email when I was a young student

Data Integrity Should Be A Concern for Corporate Counsel

{UPDATE} Attentat 1942 Hack Free Resources Generator

MKIV Datacard Information

Difference between NAT vs Firewall for Software Developers

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joel Samuel

Joel Samuel

The thin blue line between technology and everything else. joelgsamuel.com

More from Medium

Run JavaFX via Terminal

Brimma’s silver lining to a confusing cloud environment.

Introducing Fully Managed Behavioural Application DDOS Protection Solution

Auto-Staking Features