简体繁体 English

允许使用电子邮件地址登录，同时允许多个用户使用相同的电子邮

[英]Allowing login with email address while allowing multiple users with same email address

原文 2011-08-24 01:30:27 3 4 authentication/ language-agnostic

For a website, I would like users to be able to log in using either their unique username or their email address. 对于网站，我希望用户能够使用其唯一的用户名或电子邮件地址登录。

However, this site will potentially allow multiple user accounts with the same email address. 但是，此站点可能允许多个用户帐户使用相同的电子邮件地址。 (For instance, they may be the same person working for two different companies, etc. Also, for business reasons, each user account is associated with only one company. So if users work for more than one company, they have one login for each one.) （例如，他们可能是为两个不同的公司工作的同一个人，等等。另外，由于商业原因，每个用户帐户只与一家公司相关联。因此，如果用户为多个公司工作，他们每个人都有一个登录一。）

Here are some possible ways to handle this when the user logs in with an email address: 当用户使用电子邮件地址登录时，可以使用以下方法处理此问题：

If more than one account matches the email address, AND the password (hashed of course) matches at least one of the passwords for an account with this address, then do one of the following: 如果多个帐户与电子邮件地址匹配，则密码（当然是哈希值）与具有此地址的帐户的至少一个密码匹配，然后执行以下操作之一：

A. Tell the user that their email address is associated with more than one account, so they will need to log in using their username instead. A.告诉用户他们的电子邮件地址与多个帐户相关联，因此他们需要使用他们的用户名登录。

or 要么

B. Same as A, however if the password matches exactly one of the account's passwords, just accept it and log in as that account. B.与A相同，但如果密码恰好与帐户的密码之一匹配，则只需接受并以该帐户登录即可。

I would like to go with B. However, using the password to differentiate between two accounts seems like it might have some obvious security pitfalls (that I may be overlooking), or even some non-obvious ones. 我想和B一起去。但是，使用密码来区分两个帐户似乎可能会有一些明显的安全隐患（我可能会忽略），甚至是一些非显而易见的问题。

Would this be a good solution, or is there a widely accepted "best practice" for this? 这是一个很好的解决方案，还是有一个被广泛接受的“最佳实践”？

4 个解决方案

The best practice for this is to have one account. 最好的做法是拥有一个帐户。 Your database would contain records indicating which users have access/membership in which companies. 您的数据库将包含指示哪些用户具有访问/成员资格的记录。

Most sites use the email address + single password as the primary identifier. 大多数网站使用电子邮件地址+单个密码作为主要标识符。 People are used to it and it works. 人们已经习惯了它并且它有效。 Go with that. 去吧。

If people want other information associated with their login, such as other accounts, they can certainly share a login and then select which account to use after login. 如果人们想要与其登录相关联的其他信息（例如其他帐户），他们当然可以共享登录，然后选择登录后使用的帐户。 It's not part of the login, but it is associated with it. 它不是登录的一部分，但它与它相关联 。

Setting up multiple logins can lead to trouble as it requires more management, and it increases the likelihood of people being lazy about keeping their password secure. 设置多个登录可能会导致麻烦，因为它需要更多管理，并且增加了人们保持密码安全的可能性。 When you need to change your password, what then? 当您需要更改密码时，那么呢？ Change them all? 改变它们吗？ KISS = keep it simple, stupid. KISS =保持简单，愚蠢。

您可以允许单点签名指向“选择您的帐户”页面，用户在该页面上决定他们希望将哪个别名用于当前会话。

If you go with "B", what happens if the user chooses the same password for both accounts? 如果你选择“B”，如果用户为两个帐户选择相同的密码会怎样？ How will you choose which account to login to automatically and how will the user ever be able to login into the second account? 您将如何选择自动登录的帐户以及用户如何登录第二个帐户？ Messy. 乱。