Use email addresses for authentication
When I log in to the Penny Arcade forums or Metafilter, I log in as “Imperfect”. Other places on the internet require me to log in as “Imperfex”, since “Imperfect” was taken before I got there. And when I tried to log in to my banking site, they demanded I use a number in my username, so I’m required to create yet another username. All in all, I have maybe five or six usernames I use with some frequency.
It’s bad enough that I have to remember a dozen passwords to the dozen or so different sites I log into frequently. But to also have to remember which username I used to sign up as well? It gets ridiculous.
Assume I’ve forgotten both the username and password I used to sign up for ZobR – the very latest web-2.0 friend-to-friend notepad-sharing network. With five usernames and twelve passwords, I have up to sixty combinations to try out before I can gain access.
Of course, three tries later, the auto-hacker-prevention technology (“Hacker Safe”, oh jeeze, that’s a laugh) kicks in and locks the account anyway, so I have to use the “forgot your username/password?” link.
This is nonsense. There are precious few circumstances where it makes sense to use a site-specific username as part of the login credentials. You should nearly always use the email address.
Anonymity: Say you want to sign up for a dating site, but don’t want your email address flashed around everywhere. Simple! The email address is only used as the authentication credentials. You pick an anonymous psuedonym once you’ve created your account. This is how dating sites work anyway, although most require you to create a username that is never used for anything except authentication.
Security: Every time you sign into your webmail, you enter in your email address. It’s already out there in the clear, guys. And the idea that your username should be as difficult to guess as your password is nonsense. It’s visible as you type it in. Stop enforcing strictness rules on usernames.
Email address not collected: Most places collect your email address as a matter of course. It makes it a snap to send out a re-authorization link, should you forget your password, or send out service alerts. Sure, if it’s not necessary to collect an email address to log in, then perhaps using a custom username is justified, but you already have to use a field to identify the account for authorization, why not use that field for the email address?
It’s what’s simplest for the user
And that’s what counts, right?