Thursday, September 8, 2011

Are Usernames Supposed to be Private?

It is a common misperception is that system usernames are always meant to be private. In most cases, usernames are not meant to be private, and I would argue that in many cases in which they are meant to be private the people designing the access control and authentication systems may have made a mistake. A username is part of the identification & authentication process. The ID (e.g., username) is authenticated or verified through correct entry of at least one private piece of information, such as a password, and sometimes additional authentication factors something the user knows (password/challenge question), has (key card/security token), or is (biometric such as fingerprint or retina scan).
[Tip: Use a strong password.]

Think about your workplace account. Most organizations now have single-sign-on (SSO) systems that allow you to login to multiple systems with the same username and password. The username is typically the first part of the email address or the email address in its entirety. Most organizations assign an email/username rather than allow employees to choose their own to create a naming convention that allows for creation of unique account name. But if you know the basic naming convention for an email which includes a person's name or initials, then you will likely be able to determine anyone else's email address in the same organization if you know an individual's name, and thus you will know the username as well.

Problems may occur if an organization allows the user to choose the username or the naming convention used to create a username includes some information that should remain confidential. In the past it was more common for a username to include or be one's social security number, bank account number, or student ID number. A SSN username or similar should not be used as a username, when it may also be used in a different setting to authenticate someone in a way similar to a password. 

No comments:

Post a Comment