52

Why use usernames, and not just email addresses, to identify users? - What is the main concern or the main case when a security expert (which I'm not) should recommend inserting another layer of usernames, for example, when a native/web application is created?

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
user9303970
  • 443
  • 1
  • 4
  • 15
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/76538/discussion-on-question-by-user9303970-why-use-usernames-and-not-just-email-addre). – Jeff Ferland Apr 25 '18 at 06:45

10 Answers10

79

Your question is missing a lot of context, but what you do say sounds like you’re looking to settle an argument. So my answer will start with “It depends...”

One reason to have unique usernames that aren’t email addresses is to protect privacy when other users can see the username. For example, GitHub profiles indicate the username in the profile URL, and as authorship indicators on commits, issues, comments, etc.

Providing a username as the user’s public face instead of their email address allows them a layer of privacy.

In some rare cases, a service may elect not to collect email addresses at all... since email addresses can be considered sensitive and personally identifiable information. The downside to not collecting an email address at all is that account recovery for someone who forgets their password, or has their account breached, will be more difficult without a verified channel to use for recovery.

Or for the hybrid approach, one might collect the email address, but store it in the database behind strong encryption. Strong encryption is generally difficult to search on, so having a less sensitive identifier to use that can be store in plaintext would be convenient.

nbering
  • 3,988
  • 1
  • 21
  • 22
  • 2
    The actual account name could be the email address, while the "user's public face" can be a "nickname" they've chosen. I've seen some sites where people can freely change the "nickname", but a unique ID (possibly a hash of their actual account name, or just the next number available when the account was created, similar to a Unix/Linux UID) is displayed as a disambiguator in case more than one person chooses the same nick. Thus, "Joe [dUsWkOPhVq0]" and "Joe [MLxK8aT+Omw]" are two different people, but unless they're running in the same circles, they can both be casually addressed as "Joe" – Monty Harder Apr 23 '18 at 18:43
  • 3
    @MontyHarder Stack Exchange itself operates in a similar manner, where public profiles have a numeric ID to enforce uniqueness. – nbering Apr 23 '18 at 18:47
  • SO is different (and much more common) than what @MontyHarder describes, since the number is *all* you need to identify the user. I believe Monty is referring to the system that Blizzard and the like use ("battletag"), which is like "katrina#11104", which is a combination of a username and a unique ID, allowing for non-unique names with shorter IDs. As an aside, Blizzard's system still allows you to change usernames and that system is really just for user facing ID, with the email being your account login ID (but also changeable). – Kat Apr 24 '18 at 19:20
  • The inverse could also be important: users may want to give out their email address without revealing one of their login credentials. – MHG Apr 25 '18 at 09:16
  • @xiuyuan Email addresses are frequently considered Personally Identifiable Information (PII), unless the user has provided a burner email like a mailinator address. Self-selected usernames that are selected by the user and can be unique per site can be PII, but a privacy-conscious user could protect themselves by not using the same name twice, and not including their real name in the username. Also, usernames should never be considered a security factor. The password and any other auth mechanisms are what protect the account. – nbering Apr 25 '18 at 13:54
  • Regarding the username (GH), the question is about logging in (some services won't allow you to login with email - only username) – Welz Apr 25 '18 at 14:17
  • GitHub is not a good example as email address is part of the commit info so it will be exposed anyway if you use the site in a nontrivial way. It probably uses usernames for the same reason other social media sites do: they feel more human than email addresses. – Tgr Apr 25 '18 at 17:00
  • The fact that email addresses appear in commit messages had occurred to me as well, but that isn’t shared from the GitHub interface unless the email isn’t registered to an account. More of a feature of Git than GitHub. It still serves as an example that most of the users here would relate to. – nbering Apr 25 '18 at 17:18
22

E-Mails are in fact used for user identity on many websites.

There are advantages and disadvantages to this. An incomplete list:

Advantages

  • the problem of uniqueness is solved already
  • no need to come up with or invent a username
  • you don't need to ask the e-mail address additionally

Disadvantages

  • people do sometimes change their e-mail address
  • it often exposes the e-mail address publicly (spam, harrassment, etc. issues)
  • depending on context, people might want to have a username, not an address

A common and secure solution is to have both a displayed username and using the e-mail address to log in.

Tom
  • 10,124
  • 18
  • 51
  • 27
    A major disadvantage that you don't list is shared e-mail accounts. Those might not be terribly common among IT-savvy people, but they definitely show up for people who aren't that much into computers. – user Apr 23 '18 at 12:55
  • 2
    That is true, I didn't think of that. – Tom Apr 23 '18 at 13:11
  • 9
    To the point about shared email accounts... it happens _a lot_ if your service deals with minors using the site at consent of their parents. In a previous career, I managed a lot of teenage employees, and I'd guess that 20% of our staff shared email with a parent, and those that had siblings also working for us often did not have a unique email address. This was problematic for the shift scheduling site we adopted. – nbering Apr 23 '18 at 13:43
  • 2
    Perhaps not common, but email addresses can also change owner. – Dennis Jaheruddin Apr 23 '18 at 14:51
  • It's also frequently the case that such concerns about changing ownership and sharing apply to accounts that use usernames and not emails as identifiers. I think those issues are more human problems than they are problems with emails as IDs. – Matthew Read Apr 23 '18 at 16:48
  • 2
    I sold a domain and lost control of an email address. New owners kindly forwarded my emails but then they went bust. Domain is now in limbo. – Alfred Armstrong Apr 25 '18 at 14:02
  • 1
    There can also be legitimate reasons for a single user to have multiple accounts. Many sites disallow this (and thus don't want to make it easy), but "many" is not "all". It's annoying needing to generate unique addresses for different accounts at the same service, when all you really need is different usernames. – CBHacking Apr 26 '18 at 06:52
  • The annoyance level depends a lot on your circumstances. I have ~10 active e-mail addresses, half of which point to the same inbox. I always figured most people have multiple e-mails anyway. Maybe I'm wrong on that. – Tom Apr 26 '18 at 08:00
  • I took over for a previous employee. He had (voluntarily, it seems) used his company email address as a login ID for several of our 3rd party vendors, so now I have to log in to their systems with his email address. Inconvenient at best and really irritating, considering the state he left things in... – FreeMan Apr 27 '18 at 11:27
10

It depends on the type of application. If it's a forum, it makes sense to add another layer of usernames for a couple of reasons:

  1. Mask the e-mail address from public (you need to have a display name, and many people might not want their e-mail address to go public). Though, another option would be to make people login with their e-mail address, and give them an option to choose a display name.

  2. Ease of login (of course, with browsers remembering your login IDs, this becomes less relevant).

If it's some application where the members don't interact with public, probably logging in with the e-mail address would make sense.

Anders
  • 64,406
  • 24
  • 178
  • 215
pri
  • 4,438
  • 24
  • 31
  • 7
    I'm not sure about your second point. I tend to think that users remember their email address more easily than their username. Especially when usernames must be unique and you have to add to add a random number at the end of it/choose another one. – Yuriko Apr 23 '18 at 08:13
  • 1
    @Yuriko Not necessary always. I've seen people with too complex e-mail addresses, which would surely be a pain to enter while logging in. Hence it takes the second position, with a note about less relevance. :) – pri Apr 23 '18 at 09:18
  • 8
    @Yuriko which of my 4 email addresses did I use to sign up (especialy for something like SE which is relevant to work and home)? If I used my primary personal address did I use a disposable alias? A new/unique alias? I've probably got active accounts with >10 different emails used for logging on – Chris H Apr 23 '18 at 10:42
  • 1
    Typing a username is generally easier on mobile than typing an email address - it's usually shorter and has fewer characters. But it also means everyone knows your login name and now just has to guess your password. – corsiKa Apr 23 '18 at 13:13
  • @corsiKa, so if we think about it, the most secure (but also the most cumbersome for the users) would be to have 3 different "identifiers" (or even 4, if we include the internal database ID): the email (for communications and password reset), the login-name (for login), and the nickname (for display on the forum, and which should preferably be different than the login-name). Actually the best solution is to not use login-name and password at all, but to login with a public+private key. But we're dreaming here... – Sorin Postelnicu Apr 24 '18 at 06:29
  • @ChrisH : While I agree with you, I don't think many people use several email addresses. This is a personal opinion, not based on any study. If someone has any study that may help on this case, this could be really insightful – Yuriko Apr 25 '18 at 11:04
  • @PriyankGupta : that is correct, I read it as "remembering" and not "typing". – Yuriko Apr 25 '18 at 11:06
  • @Yuriko many people have both a work and a home address, for example. – Chris H Apr 25 '18 at 11:42
  • On the other hand (@Yuriko) many people with lots of email addresses probably use password managers – Chris H Apr 25 '18 at 13:01
7

One reason that has not been mentioned yet is the ability to allow users to create multiple accounts. Not every site needs to limit accounts to one per person.

Allowing multiple accounts/identities is a security/privacy concern. While it can be abused, it also gives more privacy to people because they can separate work from private matter, etc.

Stack Exchange does allow people to hold multiple accounts. However, since the email is used as an id, every account needs a different email address.

If the email is not used as id, one could create multiple accounts with the same email address. this could simplify things for users, and even allow a proper support system for multiple identities.

One reason to disallow multiple accounts per person is the allocation of resources. (For example, you may have 10 GB of free space) However, if people create multiple accounts for privacy reasons they don't actually care about the free space.

By allowing the use of the same email address for multiple accounts, people could get their multiple identities, but the email address can be used to track the limited resources.

This doesn't prevent abuse, but it helps to identify the honest people.

There are of course other ways to achieve this too.

Peter Mortensen
  • 877
  • 5
  • 10
eMBee
  • 171
  • 3
5

In addition to privacy and ease of use, a username may cover the scenario when a mail account is compromised.

If my mail account linked to a site is compromised, for example, I would change the mail account to a new one (change the default) in an attempt to minimize the damage.

People lose access to mail accounts all the time for various reasons.

schroeder
  • 123,438
  • 55
  • 284
  • 319
xandfury
  • 1,351
  • 3
  • 10
  • 19
  • For instance, [this is happening](https://tech.slashdot.org/story/18/04/21/1741211/lycos-finally-discontinues-its-free-email-service) to Lycos mail users. – Eric Towers Apr 23 '18 at 23:12
  • 1
    A lot of people that collect email account access credentials go with those on other sites and after trying the same credentials there, they use the "forgot my password" feature. Not nearly as easy when you have a username as the login. – PlasmaHH Apr 25 '18 at 09:15
5

Email addresses aren't a good idea for usernames – let alone unique usernames – unless you go to a lot of trouble.

For example, I register accounts with an email address like 'first.last+service@gmail.com' so that if I get spam I can see which service leaked my address.

That's the address you should register as my email address for the purposes of delivering me email.

But for uniqueness of username, you should just be checking 'first.last@gmail.com'. Except that gmail (and I'm sure others) also accept email to 'firstlast@gmail.com', 'f.irstl.ast@gmail.com' etc. So you'll also need to ignore the dots when checking for uniqueness.

Oh, and I might not remember whether I used the dots or included a service name, and what that service name was. So I'll probably lose access to my account.

RickMeasham
  • 161
  • 2
3

Actually, emails are sometimes used to identify a user. Stack Exchange itself does that, and you must log in using your email and password. The only purpose of an identifier is to be unique, creating a namespace of sorts. If you enforce uniqueness for all identifiers (whether username, email, or something else), then, a fortiori, all identifier:password combinations will be unique.

forest
  • 64,616
  • 20
  • 206
  • 257
2

The username usage has a few advantages over using e-mail as a form of login:

  • Is more secure (against browser cache, others viewing the e-mail address, phishing, etc.)
  • Is more private (similar reasons to above)
  • Can be typed faster (and yes, this many times matters)
  • Can be configured server-side to be something usable in case of e-mail compromise or independent to e-mail status
  • Can prevent a specific set of errors (from related and not only - using alphanumeric characters only are always better to be used generally in the IT world)
Overmind
  • 8,779
  • 3
  • 19
  • 28
0

The previous company that I worked for developed websites which allowed logins for various purposes. However, most of our clients had quite strict policies towards applications that gathered personally identifiable information (PII). There were forms to be filled, justifications to be filed, access to data be controlled and so on. Hence, where we could, we would implement logins using usernames (and not ask for any PII) so that those applications could be used.

0

Typically, an email address is a username from another system. Some exceptions are aliases and role based email addresses. Contrary to popular belief, email addresses are not unique to an individual. Just as an individual is not required to have one and only one email address.

Email addresses are not forever and an individual may lose access before they no longer need access to a site. Email access loss is unpredictable. I have had to deal with this. I have lost access to online accounts because of this.

Because of the prevalence of spam, people do want to keep their email addresses limited in exposure with a few exceptions. I am considering abandoning an email address due to spam loads. Those sites requiring an email address in lieu of a username and do not support an identifier change will keep me from completely abandoning it. Such site may be abandoned by me instead.

Usernames are identifiers, not authenticators. Because of this they have a long history of not being held secret and at times intentionally being publicly visible. Even if a username were to be held secret, it rarely changes or cannot be changed. Secrets get out. Secret passwords get changed if they get out. A system should be designed to be secured even if an identifier is publicly known. FYI Social Security Numbers (SSNs) are identifiers. Problems abound when trying to keep identifiers secret to make weak identification schemes work.

Security here comes from authenticators. Authentication must be implemented securely.