So I'm creating an online system. Just wondering should I allow for users to have a username or just use their email address as the primary logon?
What are your thoughts?
It doesn't necessarily have to be a choice. It only matters if you are using the email address to verify the account in which case you have use what they entered as an ID or provide another field for the email address. The other option is to allow them to login through Facebook, Google etc.
I think that having the users use their email addresses as their user name is convenient. For one, users already have to track quite a bit of user names. If they access your site and you expect them to input an email address to login, it will be easier for them to work through the logon process. This should reduce the number of "forgot my username" events you have to handle. You can also validate their username by requiring them to receive an email and click on a validation link before you activiate the account. This ensures that you have a good, valid email address. This becomes more important if you plan on emailing your users. The fact that you will have good email addresses in your system will reduce the posibility of messaging systems out there tagging you as a spammer because there theoretically should be less emails coming back as non-deliverable.
More and more sites are resorting to OAuth with Facebook, Twitter etc. But with the fortunes of some of these services on the wane, it's starting to look a little feeble (just my opinion). Other sites seem a bit more convenient with 'log in with your username or your email'. That's really handy. Username only accounts - as mentioned above, can draw a number of 'I don't have the foggiest who I am on your site' responses.
Thanks guys. Yeah I don't really want to go through the logon with facebook or twitter as the customer clientele is not geared towards facebook or twitter.
I do like just using the email address as the primary id but the logon system I am using currently has a username already integrated. I suppose it wouldn't be too difficult to reverse engineer.
I am using currently has a username
I was under the impression that you had to build something new. If you have something existing that is already using the username for the primary logon, I wouldnt bother changing that if 1) its working and 2) there is no requirement for using email addresses as the logon.
Going with @Jorge here, let's say you had just a service where you can only sign in using your username, atleast have an option where the users can enter some information to retrieve what their username is. I.e. "I've forgotten my username"
I'll just add that as most error messages will state that 'either your username or your password is incorrect' - as you don't want to give malicious users any more info than that - you could be using the 'reset password' function just because the user has forgotten their username (the password they entered may be correct). So, the option of using an email login could really help the user. They could then find their username after logging in (e.g. on the 'logout diafol' link or even on their profile page, if they have one).
If you wanted to implement this functionality with your code, it should be reasonably trivial if you only allow one account per email address. Otherwise, I don't think it would work. In addition, I don't think that this would compromise your security that much. Maybe others disagree?