Username should an arbitrary object-id, service generated.
This is OOD, isn't it ?
Additionaly user should be given the possibility (not obligation) to provide: - one or more email addresses (primary & secondaries) - a unique user chosen ID - 30 or so chars. - a user chosen Display Name, not unique - a password (optional too)
User should be able to login using their optional password and either : - an email address or - their user chosen unique ID or - their system generated unique ID
If login fails because user is not known, user should be directed to a pre-filled "register" page ! Never ask user to re-enter data just typed a page before.
Only the object-id and Display Name should be public by default. Display Name should default to unique user, name part of email address or Anonymous.
There should be a log of failed & successful logins, with optional email delivery/alerts.
when it is the the mail address, this makes a strong case for also validating them, otherwise people can accidentally lock up other peoples address by misspelling their own mail address. i think a user will never switch mail accounts to get access to a site. and as the customer service person you will be reluctant to delete a stale account from a misspelling, only because somebody claims his address is blocked. so you better know in advance this cannot happen.
The solution is to store banned IP's in your database, excluding massively-shared IP's like AOL, and check against this list during registration. I also keep a list of free proxies and prohibit people using those IP's from signing up.
PRO: The user doesn't have to remember yet another username for yet another site. PRO: Email addresses are more or less unique. PRO: Entering the email address does not require any new thinking on the part of the user.
CON: A lot of pain when the user changes his/her email address. CON: If the user can share his username publicly on the site, he will get inundated with SPAM and other unwanted email. CON: "Email address:/Password:" prompts mislead users into entering the password for their own CON: It is easy to guess a person's account, and determine if they are a user or not, and even impersonate them if they use the same username/password for the site that they use for their email.
(b) The user should be forbidden from using an email address as a username.
PRO: Email address is kept private. PRO: The user can change email accounts without disturbing his identity on the site. PRO: Users who want to use their email address for convenience may be missing some of the subtle security problems caused by doing so--you are kind of protecting them against their own ignorance.
CON: Nice, easy-to-remember names get taken fast; the user is likely to forget what username he used. CON: Users' anonymity often causes as many problems are it solves; this is why Amazon.com has the "Real Name" feature.
I guess that's the "lots of pain" part, but I don't blame them.
It's a simple regexp in your login controller to figure out if what they typed in should be checked against the email address or username field in your users table.
Ignoring those... As a user of OpenID I would vote for enabling before going live (one less new account to create). I have typically noticed its the legacy sites (pre OpenID) that are integrating, whereas most new services looking to leverage the service have it ready for go-live.
Another approach is to require it, but allow an optional display name.
getting an email address and password is the bare min you need to communicate with them.
in some cases, i have only requested an email address and then sent the password in the mail. this solves a number of problems and if the user just uses the password, then you can assure they have a somewhat secure one.
