Mastodon: Login with username rather than email

Such login would be loads more insecure. Everybody knows your username, but only very few people might know what exact e-mail address you signed up with.

I agree with @Gargron and a lot of services use your email as login today.

I would tend to think there is little to none added unpublic information between the login and the email for most users. And most websites allow login with username, typically Github or Twitter.

The need for extra security should come with proper secret values such as 2FA rather than email vs passwords IMO.

Additionnally, when using unique email addresses such as with a + sign, it might be difficult to remember exactly which email was used on a particular website.

I recommend using a password manager to fill in your email/password instead of typing it.

Security through obscurity rarely works. There might be other reasons for having an email as your login, but security should not be one of them.

+1 to this, it feels like a huge UX win for little-to-no security gains. If your last line of defense is treating which email address you used to sign up for a service as a secret key, you've already lost the fight.

To reiterate @Phyks's point, if the concern is not having enough pieces of secret information, proper 2FA support (which I believe already exists?) feels more in-line with best practices both on the security and UX side of things.

Hello,
I would add 1 point for using username.
When you "remote_follow" someone you were ask your username@instance, not your instance +email.

It would be more cohérent to use everywhere the same way to identify someone.

On security aspect, if i use a tiers app to connect, i need to give it my email (welcome SPAM), whch is not really more secure than my login that will be accessible by "accounts/verify_credentials".

1. It is a recommended default in Devise to only allow e-mail
2. Security through obscurity is not security, and yet people recommend changing the default SSH port. Even with all other security precautions, and rate limiting against brute force attacks, if you can use the username that is publicly known, it is a lot easier to start brute forcing the password (very slowly due to rate limits).
3. Not everyone has 2FA setup. Doesn't mean we should throw them under the bus.

I keep thinking about this one.

More precisely I keep on thinking about the use case that I suspect is hiding behind this question: it is useful to have multiple accounts, for many reasons - roleplay, side projects, "after dark" (for naked selfies, usually used in practice on twitter for bitching about day job), trolling/brigading, etc.

Obviously we would want to discourage that last use but having to scrounge up a new email address for everything is a pain in the ass. It's a pain in the ass on Twitter and it's a pain in the ass here, too. Hell, it was a pain in the ass back on Livejournal even though you logged in with username/pw there.

So what if one email/password pair could be the key to MULTIPLE accounts on the same server?

Facebook sorta does this with its "pages" for things. They are complex and weird and full of attempts to get you to pay Facebook more money. Keep it simple: one login can have multiple accounts, which all behave like any other Mastodon account. Except that they are linked.

Perhaps we might add a "See Also" tab to the user info view that listed linked accounts; this might be a thing the user can opt out of (say, to keep their Raunchy Nude Selfies identity a bit more obscured from their Hi This Is My Public Business identity) entirely or on a per-account basis.

There is UI and design that needs to be done here, of course. I don't know how deep the "1 human=1 email/pw=1 account" assumption goes in Mastodon, either...