Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
I'm in the middle of creating a user registration for a website and was wondering if it is better to require the username to be an email address or any value for a username?
Example:> Username: me#mail.com or Username: me
In my case it can't be one or the other it has to either be an email address or any other value.
Thanks.
In your comment, you indicated it was a registration for a job application. In this case, I recommend you use email for a few reasons:
The data will be more easily read by the person who's hiring (they don't care to know your super-awesome SN ninjawarrior1337)
You can guarantee that you'll collect a valid email (you'll probably want to send emails at some point)
Since there's no "social" component, people don't need any kind of nick name, their email will do fine
Easy to remember
Whatever method you chose, give the user the option to change it. The reason being is that email addresses are NOT permanent. Services can go out of business, people can change email providers, etc.
OpenID is great if you allow more than one authentication service per account.
From personal experience, I find it more convenient when websites use my email address for login, because then I don't have to recall with username I used for this site (I have multiple usernames, depending whether spaces are allowed and depending what kind of website this is).
Another option is to use OpenID, then users can leverage an existing OpenID to create an account on your site. Here's directions on how to get started: http://openid.net/add-openid/
At someone's suggestion, I am elevating this from a comment to an answer:
If you use email address, you can share that with other website owners and aggregate personal information about your users. A lot of big websites do this. The tiny percentage of us who know about this won't register on a site that demands our email address, unless we're real comfortable with their privacy policy.
If you're just talking about convention then it doesn't really matter - pick one and go with it. I personally prefer a username as oppose to an email address since it's quicker to type in and I usually use the same username on multiple sites (but I often have different email addresses.)
However, others will prefer email addresses instead which is just as valid a response!
Related
I am developing an ASP.NET Core web application with user management functionalities. My question is about the email address changing algorithm. Almost every web app I saw before have the following flow:
User authorized
User requested an email address change
User received a message on the new mailbox with the confirmation link
User clicks the link and the email address updates
But I think, this algorithm might be a bit insecure and that is what I want to discuss here.
How about this flow:
User authorized
User requested an email address change
User received a message on the old mailbox with the confirmation link
User received a message on the new mailbox with the second confirmation link
User clicks the link and the email address updates
With this additional step in the middle of the algorithm, things may be much better from the security perspective, but would it be too complex or not? How do you think what algorithm I should implement? And what would you prefer if you will be in my shoes?
The second options might sound great, and it's not too much headache to implement too. But I'll stick with the first approach due to some reason:
Common work flow pattern.
As the backend side can be wrote by many language, by various developers, so common pattern would make things more standard when we need some kind of migration, and even maintaining by new developer. If the project doesn't require ultra-secure authentication flow, the simplicity of first approach was enough.
From user convinient pespertive
Let's just imagine when changing an email address, what case the user likely want to change email address ? I was register my facebook account long ago using yahoo mail, that's no-longer active, and i need to switch to a gmail one. What's the point of sending the email back to the old one ? Cumbersome... and i can do nothing in this case except get some help from the staff.
I totally aggree with the second approach on security angle. But that's not suitable for most of the case, only implement if the project have some requirement. And even in that case, I suggest don't even do that too, build some thing like sub-admin account role and grant permission to someone have responsible. Like Google enterprise email organize some account called admin if anything wrong happen to user account. As long as it has this kind of security level requirement, it's not gonna serve massively user.
The intension of all the flow
The User got authorized first, right, that's mean we Identified what the user are, and what she capable to do. Imagine when we hide a hotel room then request to change to another due to some reason. What's the point of proving that's I booked my own room, since we all know that's the fact ? Kinda weird... right ?
To conclusion, I think we shouldn't mess with something that's become common pattern that widely acknowledged, except we have some special requirements and the project have something uniquely to satisfy, and we consider ourself, as developer that's reasonable.
The main problem with this approach is: what happens if the user no longer has access to their original email account? Perhaps it was a work/school/uni account that they no longer have, or perhaps they've just forgotten their password or otherwise lost access to it.
With your second approach, they are not going to be able to update to the new account, because they'll never receive the first confirmation link.
How about the following approach instead:
User requests an email change.
Require the user to re-authenticate with their current password (just like when they change their password).
Send a confirmation link to their new email.
Send a notification to their old email, with the details of the change, and instructions of what to do if they didn't initiate the change.
User clicks the link to update or contacts your support to say their account has been compromised.
This way you still provide them with an alert that someone is trying to change their email (and potentially a means to stop it), but a user who has lost access to their old account will still be able to update their email.
I have a question about email verification and user registration. The other day I created accounts for both Twitter and Facebook and I realized in either of them I was asked to fill a CAPTCHA. And even before validating my email account I could already use my account and add friends and all that. Supposedly I had limited options, but didn't even realized it.
My question is, as I'm building a website with user registration myself and I'm planning on use this method, how to deal with spam, "junk accounts" and people that don't validate their email accounts?
And more realistically, I was thinking either asking for a CAPTCHA and an email (and let users verify their accounts later on) or asking for an email and waiting for it to be verified (with a link or a temporal password) right away. In this case, which is the best option?
Thanks!!
It's debate question which is good or bad.
I personally feel Use email verification by sending link on email account and verify that link on click. This will let you trusted user.
By the way captcha isn't bad. It will prevent automated account creation strongly.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
i have my own website and i want to put a login function in it.now whenever any user registers himself on the website he would write his email address, but how would my login function check whether that email address really exists or not.i mean suppose any body enters the email address of yahoo or maybe gmail .how would i check whether that email address really exist in yahoo or gmails database.? how can i validate that email address. ? can anybody help me in this problem? thanks in advance.
You can't check an email address account actually exists without actually sending it a message, as far as I know.
The standard way of verifying email accounts for web systems is to send a validation email to the account the user specifies, containing either a link they have to click that redirects back to your site with a verification key in the URL, or containing a validation code the user has to enter on the website. Either way, it will allow you to (a) verify they own the mailbox, and (b) confirm its existence (a send failure or a bounce-back from the mail server should indicate the account is invalid).
You could set the user account in an 'unverified state' until the user validates the mailbox, and only let them access the full login-restricted parts of the site once this validation has occurred.
EDIT: As Pascal Wittmann points out, there ARE ways of verifying an account, but whether the methods work depend on whether the mail server being used allows such queries. I would say best practice is to validate the email by the above method, to make sure the user has entered an email address they own - otherwise you may end up sending emails to a user who doesn't want them!
What you can do is ensure that the user registering on your website is using a valid email address by sending him a verification mail.
In that mail you add a link with a token that goes to your website. I.e. Like this http://www.mysite.com/user/verify/123123.
Then you just need to verify that 123123 is a valid token. (The token should be a randomized string, that is unique for every user)
And if the user clicks that link, you know for sure that he got a valid email address. Simple as that.
So, in the case of applications where security is of great importance - how would implement the challenge question idea. That is...you would:
Detect if the computer IP has changed and hence ask for the challenge question.
Detect if the cookie is missing.
Detect if the computer name is different.
Some combinations of the methods above?
I am currently working on a forex platform...in asp.net/c# and thinking on how to implement thi feature for best results. I think the best and only way will be to check for a cookie change - since if i base on the ip - the ip might be dinamic by the isp of the client - also if i count on computer name then it's not that bright since the computer might be used by more than the user in question...of course if i count on the cookie then the browser might be used by more than a single person...but this is why this is an additional security measure and not the very password/username authentification.
Other than that getting the computer name (if possible??) + cookie change seems to be the best method. I am tagging this as c#/java since the 2 are very common these days when it comes to authentification and security.
10x!
One thing facebook did that I thought was good... You can enable an option to have them put a cookie in your browser... Unique for each computer you use... Then if someone without a cookie in the browser logs in to your account, they send an email to you letting you know... I think they geolocate the source ip of the unknown computer and put it in the email as well... So if you live in the US, you wouldnt expect a login from Russia. Not everyone accepts cookies, but for those who do, this optional feature is great and financial firms should do it too...
My bank (and many others) rely on some form of constant two factor auth Could be as simple as your best friend's name, or if they're like my online broker, high value accounts over a certain balance threshold get a time based password token. You must login first with your password, and then with the token number.
Most financial sites used a hosted picture from their site that you choose to have displayed for your password logins... This helps reduce the risk of phishing losses.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 2 years ago.
Improve this question
I've read https://stackoverflow.com/questions/41354/is-the-stackoverflow-login-situation-bearable and must agree to a certain point that openid (for me) makes it more difficult to log in. Not a show stoper but I'm used to opening the front page of the site, there's a small login form, firefox' password manager already filled in the correct values, submit, done. One click.
Here - and it's currently the only site with openid I use - the password/form manager doesn't even fill in my "login id". I often close all browser windows and all cookies are erased - and I would like to keep it this way.
Are there any firefox plugins you would recommend that make the login process easier? Maybe something that checks my status at myOpenId and performs the login if necessary.
Edit:
Unfortunately RichQ is right and I can't use Seatbelt. And Sxipper ...not quite what I had in mind ;) Anyway, both solutions would take away some of the "pain", so upvotes for both of you.
I've also tried the ssl certificate. But that only adds more steps. Hopefully I did something wrong and some of those steps can be eliminated:
Click "login" at stackoverflow
Click on the "select provider" Button.
Click on MyOpenId
Enter Username
Click "Login" (Sxipper could reduce the previous 4 steps to a single mouseclick)
MyOpenId login page is loaded
Click "Sign in with an SSL certificate"
Choose Certificate (grrr)
Click "Login" (GRRR)
Back to stackoverflow, finally.
What I really would like is:
Click "login" at stackoverflow
My (only) LoginId is filled in
Click "Login"
If necessary the certificate is chosen automagically, ssl login performed
Back to stackoverflow without any further user interaction.
That would be more or less what I'm used to - and I'm a creature of habit :)
VeriSign (ick)'s SeatBelt plugin: https://pip.verisignlabs.com/seatbelt.do
Ideally, the plugin would allow a higher-level of authentication. I know something like this was planned for the OLPC.
You could try Sxipper. It provides intelligent automatic form-fill, including auto-login.
From the Sxipper FAQ:
How does Sxipper support OpenID?
Sxipper remembers your OpenIDs and presents an overlay. You choose the one you want to use and login with one click. Sxipper also helps protect you against phishing.