| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by pdkp 3104 days ago

I think you have a good point in that if you are going to use usernames as an identifier, there is an argument that having an email also be an identifier is sort of redundant.

One problem with that is that when users are given the option of an arbitrary username, they tend to be much more likely to forget that username than they are the email address they use daily. So, you need some way of resetting their password and letting the user recover their username. In some cases, you could pair that with other identifiers, like their name, phone, social security number, etc. However, then you are just trading the email as an identifier for something else, which you would also need to check during registration.

For this reason, I've found that moving away from a username and just relying on an email for a login makes managing multi-user sites a great deal easier from an admin side.

1 comments

ryanbrunner 3104 days ago

That's fine though, sending a forgot username / password e-mail is much simpler to do without exposing the fact that you know their e-mail (just send a "sorry, we don't have that e-mail on file" to the e-mail address if there's no match)

I agree that e-mail makes for a better login experience, but if exposing who uses your site is too much of a privacy concern, I'd rather move to usernames than have to implement awkward user experiences to never reveal whether someone is a user or not.

pdkp 3104 days ago

I think a lot of sites already do that, although they may not send an email saying 'sorry, we don't have that e-mail on file,' it is pretty common to get a 'if that email exists, we have sent a reset e-mail to it' message when you do a password reset that doesn't expose if the email exists in the system.

Although to the point of this article, they will then happily tell you you can't use an email during signup, so it is a mixed-bag.

I suppose if you allowed multiple usernames per email, you could just email them all the usernames that they have on that email address when they forgot their username, but that seems like a clunky setup. It probably depends a lot on the service though, as someone posted a link to a discussion from 2014 about Amazon's reasoning for allowing multiple emails elsewhere in this thread, which makes a bit of sense for their use-case.