AAAI-16

Do you support differentiation between email address and user identifier?

Explanation

This question is asking whether your system allows users to have a separate user identifier (username, user ID, etc.) that is different from their email address. In many systems, email addresses are used as the primary identifier for user accounts, meaning users log in with their email address. However, this approach can create challenges when users need to change their email address, as it may affect their account identity, access permissions, and system references. The security assessment is asking this because: 1. Email address changes: If a user changes their email (e.g., after leaving a company), systems that don't differentiate between email and user ID may struggle with maintaining continuity of access and permissions. 2. Privacy concerns: Using separate identifiers allows users to interact with the system without exposing their email address to other users. 3. Security best practices: Separating authentication credentials (like email addresses) from identification helps maintain cleaner identity management. 4. Account management: It provides more flexibility in managing user identities across the system lifecycle. To best answer this question, you should clearly state whether your system supports this differentiation, explain how user identifiers are structured in your system, and describe how email address changes are handled without disrupting user access or system functionality.

Example Responses

Example Response 1

Yes, our platform fully supports differentiation between email addresses and user identifiers Each user account is assigned a unique alphanumeric UUID upon creation that serves as the permanent user identifier throughout the system Email addresses are stored as a separate attribute associated with the account and can be updated without affecting the underlying user identity When a user changes their email address, all permissions, access rights, and historical data remain intact since they're linked to the unchanging UUID rather than the email address This separation also allows us to maintain continuity when employees change roles or leave organizations while preserving audit trails and system records.

Example Response 2

Yes, we differentiate between email addresses and user identifiers in our system Users are assigned a unique username during account creation that serves as their primary identifier While users can log in using either their username or email address, all internal system references, permissions, and data relationships are tied to the username rather than the email When a user needs to update their email address, they can do so through their account settings without any impact on their system identity or historical data This approach provides flexibility for users while maintaining consistent identity management within our platform.

Example Response 3

No, our current system uses email addresses as the primary user identifier Users log in with their email address, and all permissions and system references are directly tied to this email When a user needs to change their email address, our process requires creating a new account with the new email and manually transferring permissions and access rights from the old account We recognize this is not ideal from a security and user management perspective, and we're planning to implement a separate user identifier system in our next major platform update scheduled for Q3 this year This enhancement will allow users to change their email addresses without disrupting their account identity or requiring administrative intervention.

Context

Tab: Product
Category: Authentication, Authorization, and Account Management