Hacker News new | past | comments | ask | show | jobs | submit login

Persona's about page says that you can use multiple email addresses with a single account.

"Within Persona, your identity is your email address. You can use as many email addresses as you want, but you still only need one password.". - https://login.persona.org/about




It's not really clear if it maps to the same identity. I should test that.

However I think it might still confuse customers. A normal user expect to be able to change their email address on the site where they do business and the "MAGIC". I think we would have been better of requiring a username, email and password, rather than using the email as the username. For a large number of people needing to have both username and email seems redundant and stupid, for real life customer... not so much.

My issue is, a customer has X number of orders on our site. Then he/she changes email and expect that using the new email address the old orders are magically available. This seems naive but that is what you have to deal with.

Again I should check to see if Persona indeed maps multiple emails to the same identity. It didn't seem like it when I tested it last, but I would not rule out that I did something wrong.


On the one hand, I think email addresses are FAR more understandable as "identity" to an average user than URLs are, which to me is the fatal flaw with OpenID. To an "ordinary" user, URLs are websites, not people.

On the other hand people do change identifiers. They change usernames (jsmith gets married and now wants to be jadams) and they change emails (for the same reason, or because they change ISPs or mobile carriers or whatever). ANY authentication process you use should allow the user to change his identifier (or any other personal attribute even gender) at will.

Internally you deal with this by connecting the identifier to an other token that is the real "permanent" identity for the user in your system. But it's one that's never exposed to the actual user. It sounds like your system was using the email address in the order records to identify the customer. That is what your real problem is, not that people change email addresses.


> But it's one that's never exposed to the actual user.

Why not expose it to the user? Because then they'll want to change it? Are you talking about browser fingerprinting?

We already expose this on the user/email level, where users can link and log in with as many email addresses as they like, under one account (identifier).


You tell your users what their primary key is in your database?


Sure, sometimes their usernames are their primary keys. Even if the actual primary key is arbitrary, the primary identity is still exposed to the user, in that they know what their user account is, and which email addresses are linked to it.


It maps multiple emails to the same identity, in that you use the same password to log in with all of them. The end site gets the email you log in to the site with (I can log in to Persona with email A but let all sites know email B every time. If I change that to email C, sites will think I'm a different user).

You can let users change email addresses, and nothing bad will happen. They'll just have to log in with the other address next time.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: