Email Addresses Are Good Login Identifiers But Horrible Permanent Identifiers
Hiya,
Email addresses are often used in CIAM systems as a login identifier. This is part of a set of credentials which is used to identify a user in a system. The other half is typically a password or passcode.
Email addresses are good login identifiers for a number of reasons:
They are freely available from many different providers.
They can be verified, even if it is more complicated than you might think.
They are unique (at a given point in time).
People know their email address.
These are all critical for any identifier used as part of a set of credentials, usually paired with a password, which are validated. Then, possibly after an additional factor of authentication is provided, the user gains access to the online system.
This is all well and good, but should the email identifier be used as the immutable key, either within a CIAM system or between CIAM systems (connected using federation)?
Nope. Chris Siebenmann outlines why email addresses are not good permanent identifiers. Reasons include:
people’s addresses change over time, based on employment or other factors
they can be reused
meaningless identifiers (surrogate keys) make your life easier
What to do instead? Use email addresses as the login identifier, verify them (both on initial registration and on any change), and use the sub
claim (or similar) when federating.
Dan
PS all of these strengths and weaknesses apply to phone numbers as well.