Migrating from Invision, username login and tags

[Zenxx]

We are considering migrating from Invision. One important reason is that username login is removed in the latest revision, 5.x.
Do Xenforo have any plans to remove this?

Also, we are using closed tag system, will this work the same way in Xenforo?

 

[Ricsca]

You can log in with either a user name or email address.

 

[Suzanne O]

@MySiteGuy can help you with the migration of your site.
With the username login check your settings. Sometimes when you have registrations turned off it switches that off too.

 

[Zenxx]

Thanks, but my question was if Xenforo have any plans to remove username login?
Invision did that in their latest generation. For reasons I haven't understand...

 

[Ricsca]

We don't know what Xf will do in the future. For now you can log in with both username and email, but it's still preferable to use email for security reasons because email is private and not public. But above all, what does it change for you since users are shown with their username?

 

[Slavik]

Do Xenforo have any plans to remove this?

I cant think of any reason we would...

 

[Zenxx]

Many thanks Slavik!

But above all, what does it change for you since users are shown with their username?

It's an old forum and we have reasons to believe that many of our long-time members doesn't know which email address they used when registering. It can be an email provider that got extinct 20 years ago.

In 25 years we are not aware on any account hijacking so in respect to security email-only login has no advantages for us, only disadvantages.

 

[Ricsca]

In my opinion, this isn't a problem because if a user forgets their email address or it's no longer active, they can simply send you a message from the contact page. The number of users who no longer have active email addresses and want to log in to your site will certainly be very few and manageable.

 

[Zenxx]

With 100k+ users it might not be just a simple job. Better to keep username login as an option.

 

[PhineasD]

I think it's much easier to remember an email address that's used for more than just registering on a forum, than a username used on a specific website.

 

[Zenxx]

It might be for some, but it's not about deleting email-login, but to keep both options.

 

[Rene_V]

With 100k+ users it might not be just a simple job. Better to keep username login as an option.

I agree. I never understood why Ips removed that option. It didn't make much sense to me.

 

[Ricsca]

With 100k+ users it might not be just a simple job. Better to keep username login as an option.

How many active users do you have? Are you getting to 5,000?
Even if there were 10,000, how many of these users won't remember their email address? 1,000? Do you realize you're worrying about a problem that doesn't exist?

If a user is inactive in their email for several years, so much so that their email has been deleted, imagine how active they can be and remember to log in to a forum, especially since, without an email address, they don't receive notifications or any forum communications...

 

[Ricsca]

I agree. I never understood why Ips removed that option. It didn't make much sense to me.

Email is used to strengthen security because usernames are public while emails are not. In fact, it is becoming common practice for most websites and apps to require logins only with email or phone number.

 

[Rene_V]

Email is used to strengthen security because usernames are public while emails are not. In fact, it is becoming common practice for most websites and apps to require logins only with email or phone number.

That looks like security through obscurity to me.

 

[Zenxx]

Even if there were 10,000, how many of these users won't remember their email address? 1,000? Do you realize you're worrying about a problem that doesn't exist?

Probably you don't have experience with running a forum that lasts back to the beginning of the century.
It's not uncommon that members come back after 10 years or more.
Even active members might not know their address and if they use extinct email accounts they are not receiving any notifications and are luckily unaware of the problem.
In fact very few of our members are using notifications at all. People hate unsolicited mail and notification setup is very complicated in Invision to the average user.

Email is used to strengthen security because usernames are public while emails are not.

As said we haven't had an account hijacked in 25 years.

 

[Ricsca]

@Zenxx i have 3 forums:

Forum 1: 05/02/2005 members 35,817
Forum 2: 10/27/2000 members 64,874
Forum 3: 09/28/2011 members 8,920

 

[Mendalla]

That looks like security through obscurity to me.

This. Someone's email or phone number is generally not that difficult to obtain with a fairly simple phishing attack. Makes a bit more work, sure, but in age when phishers, hackers and spammers can use AI agents to build and manage their attacks, probably not a lot more.

If you really need security, MFA and SSO are the way, esp. the former. Just remember that even those are not bulletproof. You are still one well-honed phish away from being hacked.

 

[Ricsca]

It's not impossible, but it's increasingly complicated than logging in directly with your username...
Security is a fundamental factor and increasingly critical as the years go by, so it's natural that as time goes by, more strategies are implemented.
Now, worrying about whether xf will one day allow you to log in only via email seems pointless to me...

 

[JordanH]

Many thanks Slavik!


It's an old forum and we have reasons to believe that many of our long-time members doesn't know which email address they used when registering. It can be an email provider that got extinct 20 years ago.

In 25 years we are not aware on any account hijacking so in respect to security email-only login has no advantages for us, only disadvantages.

I would suggest if you do migrate, start announcing it early, and have users update their email beforehand. Just in case some users need a password reset.