Why use usernames and not just email addresses to identify users?

  • Why use usernames, and not just email addresses, to identify users? - What is the main concern or the main case when a security expert (which I'm not) should recommend inserting another layer of usernames, for example, when a native/web application is created?

    Comments are not for extended discussion; this conversation has been moved to chat.

  • nbering

    nbering Correct answer

    3 years ago

    Your question is missing a lot of context, but what you do say sounds like you’re looking to settle an argument. So my answer will start with “It depends...”

    One reason to have unique usernames that aren’t email addresses is to protect privacy when other users can see the username. For example, GitHub profiles indicate the username in the profile URL, and as authorship indicators on commits, issues, comments, etc.

    Providing a username as the user’s public face instead of their email address allows them a layer of privacy.

    In some rare cases, a service may elect not to collect email addresses at all... since email addresses can be considered sensitive and personally identifiable information. The downside to not collecting an email address at all is that account recovery for someone who forgets their password, or has their account breached, will be more difficult without a verified channel to use for recovery.

    Or for the hybrid approach, one might collect the email address, but store it in the database behind strong encryption. Strong encryption is generally difficult to search on, so having a less sensitive identifier to use that can be store in plaintext would be convenient.

    The actual account name could be the email address, while the "user's public face" can be a "nickname" they've chosen. I've seen some sites where people can freely change the "nickname", but a unique ID (possibly a hash of their actual account name, or just the next number available when the account was created, similar to a Unix/Linux UID) is displayed as a disambiguator in case more than one person chooses the same nick. Thus, "Joe [dUsWkOPhVq0]" and "Joe [MLxK8aT+Omw]" are two different people, but unless they're running in the same circles, they can both be casually addressed as "Joe"

    @MontyHarder Stack Exchange itself operates in a similar manner, where public profiles have a numeric ID to enforce uniqueness.

    SO is different (and much more common) than what @MontyHarder describes, since the number is *all* you need to identify the user. I believe Monty is referring to the system that Blizzard and the like use ("battletag"), which is like "katrina#11104", which is a combination of a username and a unique ID, allowing for non-unique names with shorter IDs. As an aside, Blizzard's system still allows you to change usernames and that system is really just for user facing ID, with the email being your account login ID (but also changeable).

    The inverse could also be important: users may want to give out their email address without revealing one of their login credentials.

    @xiuyuan Email addresses are frequently considered Personally Identifiable Information (PII), unless the user has provided a burner email like a mailinator address. Self-selected usernames that are selected by the user and can be unique per site can be PII, but a privacy-conscious user could protect themselves by not using the same name twice, and not including their real name in the username. Also, usernames should never be considered a security factor. The password and any other auth mechanisms are what protect the account.

    Regarding the username (GH), the question is about logging in (some services won't allow you to login with email - only username)

    GitHub is not a good example as email address is part of the commit info so it will be exposed anyway if you use the site in a nontrivial way. It probably uses usernames for the same reason other social media sites do: they feel more human than email addresses.

    The fact that email addresses appear in commit messages had occurred to me as well, but that isn’t shared from the GitHub interface unless the email isn’t registered to an account. More of a feature of Git than GitHub. It still serves as an example that most of the users here would relate to.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM