Remove Username & Replace with Email

[thedead]

How would you suggest I remove the username and replace it with only the email? Is it possible to add this as a feature you can turn on/off?

[alexweissman]

Hmm...it's possible, but not sure if it's advisable from a security standpoint:

http://lastwatchdog.com/zappos-hack-shows-risk-e-mail-account-username/
"Many use the same e-mail address and password to create financial transaction accounts across multiple websites. Cybercriminals know this and are expert at taking full advantage."

However, I can see the advantage from a usability standpoint. One simple way would be to allow users to log in with EITHER their username or email. Then it's just a matter of checking both fields when the login request is processed (in "process_login.php").

[thedead]

Interesting, however most people use the same usernames everywhere :)

I guess I could make the username auto-populate to the email address and have the login check for either as you mentioned.

[alexweissman]

Yeah, that's actually a good point. It seems like a decision that should be up to the site administrators - so, let's make a "enable email log in" option in the site configuration. In that case, it's extra important that users specify a unique email address when their account is created.

Also, if this toggle is enabled, how should new account registration proceed (via register.php)? Still ask them to specify a username, or just automatically copy their email address to their username field?

[lilfade]

This topic can probably be closed now since we added this feature.

[alexweissman]

Done!

[MACscr]

I must be blind, where was this implemented?