Pet peeve: every time I register for a new service/website, it's a chore to find a unique username that hasn't been previously used. It's 2018 - why haven't we evolved from the need for unique usernames?
I Agree with OP.<p>From an authentication point of view(Crypto and twiiter like 'verification'),some system or authority needs to verify your identity. I think a Fully Qualified User Identity (much like fqdn) where your username is only part of your FQUI would solve a lot of issues.<p>For example:<p>Alice.blue.hn.de
Alice.orange.hn.twitter.us<p>The two FQUI represent different people.<p>Alice is in the 'blue' group,verified by hn which used the 'de' identity authority.<p>Alice is in the 'orange' group,verified by hn using twitter. Twitter used identity authority 'us'.<p><[hierarchial user name]>.<user group>.<[hierarchial identity verifier domains]>.<identity authority><p>This isn't a new idea at all,there just does not seem to be a one size fits all consensus on what system to use. Maybe everyone is wary because the DNS hierarchial system isn't doing too well. Unlike domain names,a person is unique,you can't register arbitrary identities under the same authority(at least not without committing fraud)
From a UI point a name is a way for humans to identify a thing. So a username is just a way to identify a user, if multiple users have the same username you cant identify which one.<p>Starcraft allows people to have the same username, tell your mate your username and ask him to add you, he wont be able to. You need to go through settings and find your unique user pin which you cant remember, then give that too your mate, they need both.<p>Use email and a screen name, your mate already knows your username and can add you, you can call yourself whatever you want.
The purpose of a username is to identify a user, publicly and to the application with an account and password. If usernames weren't unique, it might be impossible to distinguish between accounts with the same username, much less the same password. Forcing passwords to be unique is unacceptable as every failed attempt to register an account with a password that exists will tell you <i>someone is using that password</i> (to say nothing of the overhead of having to check that.) But being told a username exists doesn't expose the same security risk.
I think Facebook is an example of a service that has - you use an email & password to log in, but your name is what is displayed everywhere.<p>But Facebook has made other trade-offs that people might not always agree with: it requires people to use their "real name", and while this policy is sporadically enforced, they probably have checks for people cycling through names, and they also focus on communicating with your close social circle where there is less incentive/opportunity to impersonate people.<p>Twitter has something in between where you can have a handle, which must be unique, as well as a display name, which does not. Without a unique handle @handle isn't a thing that works. You could do something like Facebook and have someone type @<Display Name> and provide some drop down for disambiguating, but given the wide open nature of Twitter, this seems more abuse-prone.<p>Identity is still hard to manage online, and I don't think we're really ever going to solve the problem in a way that makes everyone happy.
I've written a login before that allowed non-unique login names that were solely differentiated by password. Given the relatively low volume of visitors to the site and the minimum password requirements (8 characters, at least one cap and one punctuation), we figured the chance of collisions was minimal.
Most modern services don't anymore though. Most of them use an email address.<p>The ones that don't typically make a publicly identifyable string for you, like a url on GitHub or a handle on Twitter.
there is far too much hackability Re spoofed user names, a machine can tell if a name is reused but people often cant.
...the problem with filtering name and passwd reuse also bring hackability into play, suppose guard0g is on a secure system and the user names are not supposed to be public, we now know that guard0g at least was in use at one time if not currently, this info can be used in crafting a soc.eng. attack...