Suppose a user can have multiple emails. A given email may be held by at most one user.
Is email a good pick for login purposes (so that it's used instead of the username)? Should an authentication server accept all of their emails? Should the user pick the "main" email, the one they are allowed to use for logging in?
If you think it's okay, should I extend it to any unique user attribute, like a phone number (which a user may also have multiple of)?
I realize it's widespread and more user-friendly (since a person is more likely to remember their email or phone as opposed to their username, not used in everyday life). Still, I'm not totally sure it's worth the added complexity.
2 Answers 2
The use of email or phone number is usually chosen to reduce friction / to make the users life easier - for example a password reset flow can use the email or phone number - without needing to lookup a username first.
Generally speaking it's not hard to present the user with a single "login" field and check it against several backend fields (username, email, phone) assuming all of those fields are able to uniquely identify the user.
Supporting multiple of a given type (multiple email addresses or phone numbers) is a little more complex. Phone numbers in particular get re-used when people change phone providers, hence you may get a situation where someone has left the phone number (they no longer control) attached to their account and registered another one. This really becomes a question of ROI - is the extra work developing flows to support multiple phones, emails etc worth the return of an "easier" workflow for your users **.
** - This may not be possible, most users are pretty comfortable having a single username, email and (mobile) phone per site.
There may be cases where a different login makes sense - for example a DNS registrar may allow the user to log in using one of the DNS names they control.
TL;DR - Supporting multiple login types (email, username, phone) may make sense (not much work), but it's really going to depend upon your business requirements.
Suppose a user can have multiple emails
This has been true since the invention of email.
A given email may be held by at most one user.
This has never been true.
Is email a good pick for login purposes (so that it's used instead of the username)?
Yes. Insofar as it has de-confliction built into it. An email can be presumed to be unique (unless a faker gets to it first) and already put the user through the ceremony of adding however many numbers are required to make it unique.
Should an authentication server accept all of their emails
If your goal is to profile people, rather than simply establish a unique username, sure.
Should the user pick the "main" email, the one they are allowed to use for logging in?
Depends on how the user feels about being profiled.
should I extend it to any unique user attribute, like a phone number (which a user may also have multiple of)?
This enables two-factor authentication. Also profiling.
I'm not totally sure it's worth the added complexity
Of allowing dots (.) and at-signs (@) in the user name string? That's a fairly strict complexity tolerance.