Mini rant: Systems that use your email as the unique identifier and you can't change it

[dogememe]

I've been using the same dumb free email since I was in high school and then starting a few years ago a different email I created that I recently decided I didn't like. I'm trying to transition everything to a newer better email account.

But I'm finding a staggering number of big companies whose apps/systems use the email as the primary identifier in the back end and do not let you change them! I learned that this was dumb when I created my very first web app like a decade ago?

The main two I've noticed recently are GM Financial and McDonalds!

If you have come across any recently, name and shame them here!

 

[cptbarkey]

Its amateur design at best, agreed. Email is simply one property out of x with an appropriately designed user system.

 

[SC Maintenance]

Thats why many businesses use your SSN, as it never changes, but your SSN was never designed for that and its very insecure to use it that way.

What do you think should be used as your unique identifier?

 

[rijndael]

Why can't a unique identifier change?

If email worked at account creation, it can work after you change it.

 

[dogememe]

Why can't a unique identifier change?

If email worked at account creation, it can work after you change it.

Sure, but typically if you pick something as the “primary key” in a database, it’s supposed to be immutable.

A unique user ID should be the primary key, and then email can be required to be unique and be used as an identifier and/or the username for login. But on the back end it should be using a unique user ID across the app so if you change the users email address the only thing that changes is, well, the email address.

 

[rijndael]

Sure, but typically if you pick something as the “primary key” in a database, it’s supposed to be immutable.

Yea, that's the issue. email address should be no different from shipping addresses.

 

[cptbarkey]

Thats why many businesses use your SSN, as it never changes, but your SSN was never designed for that and its very insecure to use it that way.

What do you think should be used as your unique identifier?

While this sounds good on the surface, identify theft warrants a new SSN, so this isnt valid either.

 

[mrsilv04]

Thats why many businesses use your SSN, as it never changes, but your SSN was never designed for that and its very insecure to use it that way.

What do you think should be used as your unique identifier?

When I was in college (the first time), your student ID number just also conveniently happened to be your SSN. LOL.

 

[SC Maintenance]

Why can't a unique identifier change?

If email worked at account creation, it can work after you change it.

Because if that was the key on older records then you wont be able to correlate the two.

Why the police list all known aliases.

 

[rijndael]

Because if that was the key on older records then you wont be able to correlate the two.

Changing it doesn't mean you remove all record of it. It's not hard to keep a history of email addresses or usernames on an account.

 

[SC Maintenance]

Changing it doesn't mean you remove all record of it. It's not hard to keep a history of email addresses or usernames on an account.

So long as you remember. If you transfer the database to someone else or different system and they don’t know then it’s broken. That’s sort of the point of a non changing unique identifier.

For McDonald’s does it matter - likely not. Medical or legal records it would.

 

[rijndael]

Well, you normally use something like a GUID for your identifier, not something that a user may need to change.

Either way, your database should account for changing fields and history, especially at places like GM Financial. You don't migrate to a new system without maintaining your history.

 

[SC Maintenance]

Well, you normally use something like a GUID for your identifier, not something that a user may need to change.

Either way, your database should account for changing fields and history, especially at places like GM Financial. You don't migrate to a new system without maintaining your history.

You asked why can’t your unique identifier be changed. So that’s how I responded.

Using you email as a unique identifier is a bad idea precisely because it can change.

 

[rijndael]

I acknowledged the potential issue in post 6, before you even chimed in. You just looking to argue today?

 

[Hall]

Its amateur design at best, agreed.

Yeap and they aren't considering who they are dealing with. Too many people use their work e-mails for personal stuff or they use the email provided by their ISP. Both of those can change, then what ? Worse is if you used those and the system does allow it to be changed, they will at least send confirmation messages to those accounts to make sure the request is legit, but you don't have access to them.... Goes back to "they aren't considering who they are dealing with".

 

[alarmguy]

I've been using the same dumb free email since I was in high school and then starting a few years ago a different email I created that I recently decided I didn't like. I'm trying to transition everything to a newer better email account.

But I'm finding a staggering number of big companies whose apps/systems use the email as the primary identifier in the back end and do not let you change them! I learned that this was dumb when I created my very first web app like a decade ago?

The main two I've noticed recently are GM Financial and McDonalds!

If you have come across any recently, name and shame them here!

Agree, there is zero reason to have your email address as you "user name" /identifier
The proof is most companies do not. None of my financial institutions do and I have been banking online, gosh, maybe since the first online accounts were able too.

Between my wife and I up to a dozen Credit Cards and countless other financial institutions we have on line do not use email addresses.
So what I am saying is you are 100% correct and ignoring all the other posts as there is no reason for email to be your user name.

Yet, I agree to this day some annoying companies do this, many subscription services as well such as TV streaming accounts. GM is a good point, I have GMAC financing. We dont do car loans but this was 0.0% so we did it, also since we didnt expect to buy a car that day, it was a no brainer to leave the car money in the account and collect interest.
Anyway, for the first time that I remember I logged into the GMAC site. I guess I did when we first bought the car and sure enough, you are right, email address is my user name. Only financial institution I have used that uses my email as the login.

 

[SC Maintenance]

I acknowledged the potential issue in post 6, before you even chimed in. You just looking to argue today?

You asked this so I answered it. I was surprised you asked given your background. ??

Why can't a unique identifier change?

 

[slo town]

Amazon lets me login with either my email or phone number. Although I haven't changed my email (or phone number), it would seem that I could login with my phone number and change my email to a new one and use it from that point on. Seems like a simple enough design strategy for companies to use.

Scott

 

[cptbarkey]

You don't migrate to a new system without maintaining your history.

This is debatable too, if the customer wants it ETL'd into the new system, they can pay for it, otherwise enjoy a data dump from the old one and make it their responsibility (unless they want to pay for that responsibility shift too)

 

[rijndael]

I was surprised you asked given your background. ??

Well, I'm not a DBA and I haven't done web development for almost 30 years. I do know that I'd opt for a surrogate key over a natural key for just this reason. I can't fathom a major bank not letting a user change their email address over this reason, it's an amateur move. If I were a guessing guy, I would have first though they want you to call in so they can better verify your identity, rather than letting a potentially compromised user / password, change critical fields that impact customer notification.