Web Application Authentication design problem

wonder if I could get some advice on the best way to solve this authentication problem.

I have a store web application, due to the nature of the store, any user must be authenticated in order to view or use it. Access to the store for all users is through a single login form.

There are 4 levels of user, superuser (me), store manager, store worker, and customer.

My problem is what type of authentication to use for each type of user, should it be email based? or based on some kind of username?

A store manager will come to our site, and create a new store, and I am happy that they should use an email address and password for authenticat开发者_运维问答ion. The store manager will then create accounts for store workers and customers. For customers, again, I am happy for them to authenticate with an email address and password. But what should I use for store workers? I don't think its appropriate for them to use their personal email address for an account that will be purely professional, what do you think? In addition, I can foresee that the manager may create a single worker account, leave it logged in, and all workers will use this one account, so again, an email address would be inappropriate.

so these are the solutions I can think of, but all have problems:

The store manager creates store worker accounts that have a username and password. Problem with this is that because all access to the site is through a single login, they could spend ages trying to find a username that has not already been taken.

When a store worker is created they are assigned a unique login id, e.g 0002014, and together with a password, this can be used to authenticate. Problem with this is that the login id would be hard to remember.

I also considered having a username that is somehow combined with the store name (which is unique) but couldn't think of an elegant way to make it work, it couldn't look like an email address for example.

Anyone have a preference on the above? or hopefully can suggest a better solution. Thanks for reading.

Good Question. Using email would be the good solution for employes as well. The reasons are

1. Nowadays you can get lot of free email accounts. So employees who dosn't want to use personal email can create one and use.

2. if store manager wants to use one account for all, then he can create a common email and use.

3. Reset/forgot password can be implemented quickly if we use email.

4. Easy to check user name availability compare to mix of username and email.

5. Since you are using same page to log in, if the email is unique, its easy to get the role of the logged in person.

Hope it helps.

Most web-based systems I use these days tend to be username and password based, but quite a few use emails as well if I remember correctly...

Which is another point, if you're thinking this carefully about what details are used for authentication you should also consider other authentication related scenarios; a lot of sites I access these days remember login details for you - to the point that I can't remember if they are username or email based.

The good thing about an email is that it's unique. I think "forcing" people to use an email is no big deal - it's up to them which one they use. If they need an email address for a work related account then it should be a work related email address - but that's their issue.

Another aspect is the platform your using; I'm pretty sure ASP.NET's out-of-the-box role and membership provider works off a username for login by default. So if you leverage an existing framework that sort of decision might be made for you.

Finally, in terms of different approaches, there's also federated authentication systems/providers out there like OpenID which you could use - so you don't even need to write a lot of the user / security management stuff at all - and it makes it easier for users if they can re-use a set of credentials they are already familiar with. I haven't looked at it but I think there are probably equivalents for being able to login user things like you Yahoo / Google / FaceBook accounts as well.