I wonder if it would be a good idea if a shopping system would reuse existing user accounts across multiple orders. For example:
- A person buys a concert ticket in an online shop. The ticket is mailed to them.
The person does not create a user account. Instead, an anonymous user entity is created and associated with the order.
A few weeks later, the person buys another ticket using the same e-mail address.
- The system recognises the person by the e-mail adress and links the new order with the existing entity.
- If the person has entered a different name etc. the system would also update this information in the existing entity.
Now you might ask: Why would I want to re-use the existing account instead of creating a new one? Because users can decide to “activate” their previously “anonymous” account (by requesting an e-mail with an activation link). It would be nice if they could then see the orders they made before the activation.
Yes, we could auto-activate the account after the first order and send the user their credentials. But they’d delete/forget/ignore the e-mail and would have to go through account recovery during the next checkout process, which would obviously be a horrible conversion breaker.
Therefore I wonder, is reusing the account a good idea from a security standpoint? If not, how could it be implemented otherwise if I want to make history available without hurting the UX too much?