Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Allowing login with email address while allowing multiple users with same email address

Tags:

language-agnostic

authentication

For a website, I would like users to be able to log in using either their unique username or their email address.

However, this site will potentially allow multiple user accounts with the same email address. (For instance, they may be the same person working for two different companies, etc. Also, for business reasons, each user account is associated with only one company. So if users work for more than one company, they have one login for each one.)

Here are some possible ways to handle this when the user logs in with an email address:

If more than one account matches the email address, AND the password (hashed of course) matches at least one of the passwords for an account with this address, then do one of the following:

A. Tell the user that their email address is associated with more than one account, so they will need to log in using their username instead.

or

B. Same as A, however if the password matches exactly one of the account's passwords, just accept it and log in as that account.

I would like to go with B. However, using the password to differentiate between two accounts seems like it might have some obvious security pitfalls (that I may be overlooking), or even some non-obvious ones.

Would this be a good solution, or is there a widely accepted "best practice" for this?

like image 760
kes Avatar asked Feb 23 '23 04:02

kes

2 Answers

The best practice for this is to have one account. Your database would contain records indicating which users have access/membership in which companies.

like image 111
ceejayoz Avatar answered May 19 '23 22:05

ceejayoz

Most sites use the email address + single password as the primary identifier. People are used to it and it works. Go with that.

If people want other information associated with their login, such as other accounts, they can certainly share a login and then select which account to use after login. It's not part of the login, but it is associated with it.

Setting up multiple logins can lead to trouble as it requires more management, and it increases the likelihood of people being lazy about keeping their password secure. When you need to change your password, what then? Change them all? KISS = keep it simple, stupid.

like image 45
Diodeus - James MacFarlane Avatar answered May 20 '23 00:05

Diodeus - James MacFarlane
Sign in to Comment

Related questions

Organize user and authentication in microservice architecture
How do I use the method attempt() - Laravel 7
Error, Lcobucci\JWT\Signer\InvalidKeyProvided: It was not possible to parse your key
React-Router & useContext, infinite Redirect or Rerender
How do I TDD a custom membership provider and custom membership user?
ASP MVC Preview 5 and IIS 6 Windows Authentication
Automate SSH without using public key authentication or expect(1)
Which authentication mechanism to choose?
LoginStatus for ASP.Net MVC?
C# SSL Basic Access Authentication
Has OAuth failed?
blocking login after X failed attempts
Get current user's last logon
MEF: Component authentication
SSL advantages worth the hassle?
Implementing a token authentication
connect to url in python
Does anyone know the options for Devises `authenticate_user!`?
Losing session after a redirect to another domain then back
Rails & Devise: How to authenticate specific user?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!