[Owasp-austin] Email address as login

Chris chris.owasp at gmail.com
Wed Oct 8 14:46:36 EDT 2008


I'm managing a team that is creating a web based account system. The
accounts will have stored payment information, as well as access to an
online game. Management has requested that we use email addresses as account
login name. This seems counterintuitive to me from a security perspective
for several reasons:


half of the equation for login

password reset mechanism uses that address with no other validation

we don't control email security for our users


The actual known risks of risks of account compromise are these:


compromised accounts can bill non-shippable, virtual goods to legitimate
owner's payment method

compromised accounts can block access to legitimate owner with no secondary
proof of ownership


Management's desire is for user convenience, and they cite many sites with
stored payment information that use email address as login (Amazon, Paypal,


I am wondering if anyone has any opinions on the security of this type of
system, or published works that they could point me to. Are the security
risks for "email address as login" extreme paranoid edge cases, or do sites
that use this have a fair amount of security issues that they offset with
massive income? 






-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-austin/attachments/20081008/25fefbbd/attachment.html 

More information about the Owasp-austin mailing list