More than one identifier for transactions

[jar]

Hi,

For security reasons, in cyclos wiki, you advise cyclos 4 PRO licensees to avoid using users username as login credentials and also as user identifier in transactions. We agree with this too, so we start changing our system to work with username only as login credentials and we created a new profile field that works as user identifier that we call «public account identifier». The payee identifies the beneficiary of payment through our public account identifier field.

One problem that I see is that I can create a public account identifier that is the same of a username that belongs to other user. Example: customer with username demo1 can create a public account identifier demo3 and someone else can have a username demo3 and public account identifier theKing.

So, for cyclos 4 PRO licensees that allow more than one identifier (username and a custom profile field that acts as identifier), can this be a cause of problems when trying to identify the beneficiary of the funds? I am asking this, because we would like to have a lapse in time where our users could use both identifiers (username and public account identifier), because apple store needs 2 weeks to approve a new app version.

Thanks for your help.

[admin]

Generally it is advised not to use user identifiers that allow the same formats, but to use identifiers that require the value to be unique, and that have a unique format (e.g. account number, email, phone number). This way, even if you allow users to modify their identifiers (which is common in some cases, for example email) it is guaranteed that they cannot enter an identifier that has the same value of another identifier type of another user.
If you want use a profile field as identifier you can always put a validator script on the field that ensures that the format that can be entered does not allow entering formats of other user identifiers.