We have some readers who care about cybersecurity, based on the comments to the last post.
So let me discuss a second cybersecurity mystery.
***
I cannot understand why many of the organizations that claim they care about cybersecurity keep forcing users to enter our email addresses as user names. Over time, I noticed that websites that previously allowed me to sign on using a made-up user name now require I enter my email address instead.
An email address is a key piece of personally identifiable information (PII). Many vendors will use email addresses as their match key to open up a database of personal data.
I understand that the user information is sent encrypted so the chance that it would be stolen is small. But the chance that the email is leaked is zero if I used a made-up user name.
So the question is: what is the benefit of using email addresses as user names instead of some other identifier?
Emails addresses are less likely to be forgotten than user names.
Email addresses can be used for marketing, or sold if a company goes belly up. Usernames are less valuable in that way.
Posted by: Joshua | 12/14/2021 at 08:48 AM
Again, I am not an expert.
I am not sure if requiring email address has much to do with security. Perhaps you can make a case for arbitrary username as being more secure, but I am not aware of any serious discussion about this.
Instead, preference for email addresses over arbitrary user names has much to with user experience.
Many websites require users to confirm account creation. Usually this is done by clicking a link sent over an email. So for these websites, email address is already mandatory information. There's no point in asking for second mandatory information that basically serves the same purpose.
Most people already have an email account, and usually they remember it. But not everyone has their own preferred username. So forcing people to come up with some username while creating account can actually be the most difficult part of entire process. I think this might apply especially to older folks, who don't really have a concept of "user name" and who might default to putting in their legal names. Which might be disastrous if user names are publicly available (as they usually are).
Then, usernames are specific to each site. Most websites don't clean up unused accounts. Chances of my preferred username being already taken are constantly increasing. So often user is effectively forced to create some unique variation of their preferred username, or come up with something completely new, and remember what exactly they have used for each site. This is hard, similar to how coming up with unique password for each website is hard.
And finally, user names simply do not make any sense for multiple websites and they were introduced only because everyone else on the web was doing them. Many websites are interface between user and service provider (all online shops) or they primarily serve the user himself (all the web apps; these are the things that 20 years ago you would install on your computer). Many social media websites will require, or at least gently push you towards using legal first and last name. For all these websites, username does not serve any tangible purpose.
Posted by: Mirek Długosz | 12/14/2021 at 05:06 PM
The email address is effectively a second auth factor, because it's something you own. They can send a token to that email and know that only you will know its value.
Posted by: AK | 01/05/2022 at 09:32 PM