Allowing login with email address while allowing multiple users with same email address
For a website, I would like users to be able to log in using either their unique username or their email address.
However, this site will potentially allow multiple user accounts with the s开发者_开发百科ame email address. (For instance, they may be the same person working for two different companies, etc. Also, for business reasons, each user account is associated with only one company. So if users work for more than one company, they have one login for each one.)
Here are some possible ways to handle this when the user logs in with an email address:
If more than one account matches the email address, AND the password (hashed of course) matches at least one of the passwords for an account with this address, then do one of the following:
A. Tell the user that their email address is associated with more than one account, so they will need to log in using their username instead.
or
B. Same as A, however if the password matches exactly one of the account's passwords, just accept it and log in as that account.
I would like to go with B. However, using the password to differentiate between two accounts seems like it might have some obvious security pitfalls (that I may be overlooking), or even some non-obvious ones.
Would this be a good solution, or is there a widely accepted "best practice" for this?
The best practice for this is to have one account. Your database would contain records indicating which users have access/membership in which companies.
Most sites use the email address + single password as the primary identifier. People are used to it and it works. Go with that.
If people want other information associated with their login, such as other accounts, they can certainly share a login and then select which account to use after login. It's not part of the login, but it is associated with it.
Setting up multiple logins can lead to trouble as it requires more management, and it increases the likelihood of people being lazy about keeping their password secure. When you need to change your password, what then? Change them all? KISS = keep it simple, stupid.
You could allow single sign it to point to a "select your account" page on which the user decides which alias they wish to use for the current session.
If you go with "B", what happens if the user chooses the same password for both accounts? How will you choose which account to login to automatically and how will the user ever be able to login into the second account? Messy.
精彩评论