Home/ Questions/Q 164615
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-11T11:46:32+00:00

I’m creating a web app that requires registration/authentication, and I’m considering using an email

  • 0

I’m creating a web app that requires registration/authentication, and I’m considering using an email address as the sole user id. Here are what I see as the pros and cons (updated with responses):

PROS

  1. One less field to fill out during registration (it would just be email address, password, and verify password). I’m a big fan of minimalistic registration.

  2. An email address is easier to remember. (thanks Mitch, Jeremy)

  3. You don’t have to worry about your favorite username being taken already – you’re the only one who uses your email address. (thanks TStamper)

CONS

  1. User has more to type every time they log in.

  2. What if a user wants multiple accounts? They’ll need another email address. (Do I even want a user to be able to create multiple accounts?)

  3. Easy for a potential attacker to guess (if they know the target’s email address, they know the login id). (thanks Vasil)

  4. Users may be tempted to use the same password they use for their email account, which is bad security. (thanks Thomas)

  5. If you change email addresses frequently, it may be difficult to remember which address you used to sign up for a site after a long hiatus. (thanks Software Monkey)

  6. A hacker could spam the registration form and use ’email already taken’ responses to generate a list of valid emails. (thanks David)

  7. Not everyone has an email address. (thanks Nicholas)

If I went with email as id, I would provide a mechanism to allow it to be changed in the event a user changes address. In this case users would not be posting content to a public site, so a separate username won’t be necessary to protect the email addresses (but it is something to consider for other sites).

Another option is to implement OpenID (which is a whole other debate).

This seems to work for Google, but their services are tightly integrated. What have I missed in my analysis? Do you have any recommendations? Does anyone have experiences to share?

FINAL EDIT

Thank you all for your responses. I have decided to use email as an id, but then allow the creation of a username for login purposes after registration. This allows a little flexibility while keeping registration as short as possible. It also prevents problems when a user changes email addresses (they can just log in with their username and update it). I will also be implementing methods to prevent brute-forcing of email addresses out of the registration and login systems (mainly a cool-down period after repeated attempts).

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. I tend to not prefer pro/con lists, and instead try to think of benefits and challenges.

    Challenge:

    Some users will be tempted to use their email address from their ISP. Linking to an email alone, may be difficult for the users who forget to update their email in all the web sites they have signed up for before they change ISPs.

    Instead:

    You should consider allowing a user to provide multiple addresses, as well user-selected id and then let the user decide what they want they wish to do. Perhaps also consider allowing the user to provide an OpenID account.

    • 0