
Ask HN: Best user model for a web application? - czep
What are the evolving best practices for new web applications that need to authenticate users?  Which of the following do most users prefer?<p><pre><code>  username (short alphanumeric, no spaces, not an email)
  email address
  full name (longer, allow spaces and unicode)
  social auth (eg. FB connect, OAuth)
</code></pre>
The classic username&#x2F;password is low friction but lost passwords can&#x27;t easily be dealt with.  But if you use email for auth, you still need some kind of username or real name in order to refer to users without publishing their email address.<p>What sites do you know of that do user account management very well?  Very poorly?  Any pointers to good research on this from a user perspective?
======
LarryMade2
Depends: do you /need/ to know who they are? Or do just you need to know they
aren't some bot? Depending on what you are doing, your going to have to think
of whats appropriate and keep in mind: the more you collect, the more
secure/oversight you'll probably need.

I've been thinking on this on my app, and I don't really need to know who they
are, in fact I would prefer they couldn't use whatever they normally go by on
other sites (prevent name squatting, spoofing, etc), that there clearly is no
assumption by username/handle you are communicating with is who you think they
are. So minimally I would want:

User Name (handle) Email or Text number (verification) Login password

Now, thinking on no previous usenames, to reduce the instance of actual user
name/handle I plan to require a first and last user handle with one of either
being a name from a supplied list of generic names, the other something they
come up with.

The list of names would include stuff like this: 'Coyote' ,'Crazy' ,'Desert'
,'Doc' ,'Dog' ,'Farmer' ,'Forrest'

In answer to your question, if it was a different app I'd do something
completely different. You have to get in the mind of your audience and your
revenue source of what would be appropriate.

~~~
czep
I agree that even maintaining email addresses can be a security risk that I'd
rather avoid. But many users expect this and will try to use their email even
if you give them a "username" prompt.

My primary intent with requiring registration is to deter (a little) spam or
bots or just bad behavior. Most content is readable anonymously but to POST to
my database I want restricted to registered accounts.

I suppose email with a verification step is the best way to go but increases
friction and requires more thought to security. But it also allows for
password recovery which you can't do unless you can associate an email with an
account.

~~~
LarryMade2
My thoughts too, people forget passwords a lot.

Well theres also message number possibility with twilio looks pretty cheap to
do sms/voice verification. then you can get the mobile crowd too.

------
jwdunne
It depends.

FB auth might not be appropriate for B2B and github login wouldn't be
appropriate for a non-dev user base.

My guess is that you need to think about your users. Who are they? Why are
they using your app? Your goal here is to reduce friction and you can only do
that by offering options specifically selected for your users.

As an actionable, go find someone who you expect would find your app useful,
ask them. Find your competitors and see what they're doing - even better if
you find something missing.

