Hello and thanks for your message,

Currently, it is a common best practice to use an email address as part of your login info.

If we used usernames, everyone would immediately know 1/2 of your login credentials and this is not recommended.

If I misunderstood what you are asking please let me know.

Thank you,

I think they meant a username that is seperate from a forum name (aka our aliases). So both username and password would only be seen/used for login.

I wonder as well why it is done with email alone. Perhaps it is more convenient when it comes to remembering login info but if it isnt as safe, why settle?

Salesforce, the largest business enterprise CRM uses email as your username. Facebook, the largest social media site on the planet uses email as your username. Microsoft and Google use your email as your login information.

While we are aware there are more complex and secure ways of handling your login information, there isn't a way that also ensures everyone can easily remember their own login data.

Thank you for your feedback!

Email addresses guarantee uniqueness, so at a minimum, using email eliminates the need for another field and bypasses the silly "black box" guessing game users confront when trying to register usernames on a large forum. Have you ever tried registering a "username" on a forum with hundreds of thousands of users? Giant PITA.

Using email address is the way to go. Your security concerns can be addressed in other ways, like two factor authentication (something Google switched to not long ago).

Posted By Hieronymus at 11:40 AM - Mon Jun 12 2017

Email addresses guarantee uniqueness, so at a minimum, using email eliminates the need for another field and bypasses the silly "black box" guessing game users confront when trying to register usernames on a large forum. Have you ever tried registering a "username" on a forum with hundreds of thousands of users? Giant PITA.

Using email address is the way to go. Your security concerns can be addressed in other ways, like two factor authentication (something Google switched to not long ago).

Makes more sense than the 'email is popular' response, thanks.

In response to your question though, I have easily picked a unique username on many other forum sites. Picking a visible name is hard if it has to be unique because I like real-seeming names, but usernames are easy because you can include numbers and make them long without worrying about being known by it.

I don't care if this site changes what they have going. Like I said before it is easier as it is (the less I have to remember the better), but op did kinda bring up a point that I thought worth a well discussed answer (at least among the community if not the devs). But maybe its not the right forum section for discussion, so sorry for adding to the initial post.

A best practice is a lot different from popular.

There is almost always more than one way to skin a cat, and I am sure as CoE evolves, our site and security infrastructure will too. One day in the future, we may deploy 2-factor authentication, but for now we have email and passwords.

Two-factor, kmn. Official CoE Branded USB Fingerprint machine login and you got me though.

Email address is not a best practice. I work in digital cyber security. Email addresses are not obscure, they are logged by hackers and many other sites when they push information. Usernames are not. SBS sends emails out to users. They store 1/2 the credentials, therefore.

The examples provided are not honestly good ones (all have serious hacking). I am very familiar with Salesforce, perhaps too familiar. Salesfroce within business groups always use a SAML to the business back end authentication. The reason banks and government, insurance, and other securities do not use email as log-in is because they are not as secure as usernames. The fact that most MMOs due is also a security risk due to redundancy.

Usernames also enable the use of email if preferred as generally allowed by the schema.

Simply providing the option increases that opportunity. Forum sign-on and game sign-on should also be different or permitted to be.

You may have credit card information after all.

Other good reasons:

1. Phishing - spam from emails allows for ways to grab passwords from scam emails. Hacker gets both. Not so in usernames

2. Account lock outs - emails are more publicly known. Malicious people can set up bots to lock out accounts simply by sending pings to account sign-on with email address with phony passwords.

3. open username (including allowing email) is harder to combine with passwords than a field that says "email address"

4. Usernames do not require other account set-ups. Email addresses do, which means most folks have a limited number of 50% of their credentials (unlike UN). Setting up new gmail for every game is not ideal...UN strategy does not require a new online/email account.

5. Password resets/lock-outs: Using an email address as log in and as the means to unlock or reset the password is circular. This requires other means and leaves out at least one way for it to be unlocked or notified of vulnerabilities.