An issue that has come to light is to open up our application (we can visualise it a bit like an online shop) to unregistered users.

At the moment, there is an admin system where staff are added by superusers and a website with customers who add themselves by registering.

We have been asked to allow customers to use the website without registering or logging in, but we don’t want to break the ‘orders’ table – we still need to refer to each customer individually and maintain the registered users functionality (address lookup, purchase history, etc). The main idea we’ve been mulling over is to use the unregistered customer’s email address as a replacement for the surrogate key (or a hash of it) in the customer table so that new and old customers can just enter their email address at checkout to be added to our database and receive confirmation of their order. The problem of different email addresses per customer can be alleviated by a ‘merge’ tool on the admin side, and the problem of multiple customers sharing the same email (some office environments) isn’t that much of a problem for us.

The main question is this: how do real-world applications handle unregistered users?

Update in response to answers

We don’t want to force registered users to login each time even if their email address is already on our system as a registered user. Also, if people are advocating using the email address as a key, how would you deal with a scenario where a registered account holder gives up their email address to someone else?