by palakz on 8/8/16, 7:23 AM with 14 comments
Now, the problem is that we cannot use FB username, FB email, Twitter username or Twitter email or the Meraki username as a constant user identity for their actions on the app because it may vary as user can change it anytime.
How do we or what do we choose as a User identity? Providing numbers-identity to newly signed up users doesn't seem that attractive to us.
by mjevans on 8/8/16, 8:58 AM
You use an internal ID that you control, which fits the requirements of your design.
External authenticators can then associate to your internal account as you design. If the external authenticators can be 'renamed' you'll want to insist on a sidechannel (often email) and recovery process for that channel (or SMS is popular).
Any data you collect can and will be used against your customers in the event of liquidation and/or oppressive governments in the jurisdictions your servers are hosted in: I recommend allowing 'email only' as an option for your users.
by edent on 8/8/16, 9:36 AM
For default user names, I quite like how gfycat does it - http://gfycat.com/about - AdjectiveAdjectiveAnimal - so a user is given a default name like "ReluctantCandidWombat". Fun, unique, hard to iterate, and hopefully provides an incentive to the user to change it later.
by mindcrash on 8/8/16, 3:59 PM
One, a human facing unique id (or 'nickname') -- such as palakz -- which you can use in your HI and whatnot. This one could even change over time.
Two, a computer facing unique id (or 'subject') which uniquely identifies the person in your application, usually a guid, long integer or whatnot. This one never changes.
Then combine the two and put them either in a secure (encrypted) cookie (for your web app) or token (for your mobile app) and you are basically done.
This for example is how authentication on Twitter works. Every person on Twitter has a unique id (probably designated through Snowflake mentioned below) and a self chosen name (which you can also change if I remember correctly). The former is stored in a secure cookie (in the web app) or a token (in the mobile app) together with some other static user information (e.g. nickname). When visiting a page requiring authentication the id is exposed to the backend code so it can recognize who you are and for example decide what actions to take (e.g. take you to the onboarding page or your personal timeline)
Hope this helps :)
by Freak_NL on 8/8/16, 9:08 AM
No normal email only sign-up? Does your demographic not include people who prefer not linking their accounts to external identity providers?
by h_o on 8/8/16, 8:58 AM
My opinion is that having number based user accounts is fine as long as you don't provide any access to them in any of your request parameters.
They should be safely maintained server side, within sessions, and any request for other user's details is done via their username.
My last point is that a user should never be able to find out their user id #.
If you allow users to change their username, then you put the responsibility in the users hands to update their external links.
Eg. If I change my twitter handle, I have no idea how many places I have that referenced - so I just don't do it (not sure if you even can change it at will actually)
by 56k on 8/8/16, 9:06 AM
If you don't want to allow that, why not just to fb_{facebook_id, tw_{twitter_id}, etc.?
by dyeje on 8/8/16, 6:09 PM
Also, I recommend just using email for logins. They can change their username whenever, but the email stays the same.
by flukus on 8/9/16, 6:39 AM
by evilneuro on 8/8/16, 11:19 AM
by fratlas on 8/8/16, 8:38 AM
by cryptarch on 8/8/16, 7:30 AM
You would then have to enforce username uniqueness when assigning/renaming usernames.
by ohstopitu on 8/8/16, 12:32 PM