Is your organization using more than one account username conventions for your different systems and applications? If so, your organization isn’t alone. Since there is no one-size-fits-all naming convention, creating a single, enterprise-wide account username convention is easier said than done. However, using the right methodology, it is not only possible to create an enterprise-wide account username convention, but one that is an optimal fit for your organization.
So, Why Do Account Username Conventions Matter?
Providing all users with single sign-on (SSO) is a critical requirement of most identity management initiatives. And it’s easy to see why. The benefits of SSO include easy access to applications, reduced support calls, and decreased security risks overall.
However, to facilitate SSO, a single identity must be established for each user—with a single username and password—to enable access to all application resources. Not only that, but this account username convention must be appropriate for every connected system and user in the organization’s digital ecosystem—including external users, such as contractors, partners, and vendors—for many years to come.
The Challenges of Developing a Standard Account User Convention
Developing an account username convention for all current and future users of an IAM Service is no small task, because there will never be a single convention that completely satisfies all users. The reality is, each user has opinions about what they think a username should be.
Changing an account username affects every user and the process is much more involved than simply changing another attribute, such as job title. This is because almost everything in the Identity and Access Management (IAM) system is connected to or dependent on username. So, when the username must be changed, it has to be changed in every aspect of the core IAM system and all connected applications.
To further complicate matters, different systems and applications each have different, predefined username conventions, such as first initial + last name, firstname.lastname, or email address. So, when a single convention is selected for an all-inclusive organizational standard, there is often a constraint or “lowest common denominator,”—a system that can only support one convention and nothing else.
Balancing the Four Drivers
In addition to the challenges outlined above, your organization must also take into must also take four critical drivers into account when planning a new account username convention: usability, security, administration, and audit.
The goal is to develop a convention that balances the four drivers. However, we recommend you prioritize the drivers. Lower priority drivers offer more flexibility, which is valuable when making the final username recommendation to your organization. Additionally, prioritizing the drivers helps prevent any one person or group from influencing the selection process based on their needs alone.
Usability - An organization most concerned with keeping their customers happy will set usability as the top priority. Focusing on usability helps drive adoption of a new account username convention. Name-based conventions, such as “jdoe” or “johndoe,” are most typical in this scenario.
Security - Security is concerned with unauthorized access, more specifically, the ability of an intruder to guess the username. The typical account naming convention in a security prioritized scenario is a system generated account name that is not directly linked to identity data in any way, such as using 4 letters + 4 numbers (e.g. qlvz4426).
Administration - Focuses on the ease of administration and the ability for help desk users to quickly and easily find user accounts. The typical account naming convention in this scenario is one based on full name such as, Public, John Q.” (e.g. jqpublic) or “Jane Doe” (e.g. jdoe).
Audit - Organizations need the ability to run reports that show the access history of specific users—who did what and when. This requires a naming convention where the username does not change (such as a primary key in a database), since access logs normally only store usernames and not a GUID. Using a unique identifier from an authoritative data source, such as employee ID, would be the typical username convention in this prioritized scenario.
Creating an Optimal Account Username Convention
Many organizations begin the process by asking people within the organization what they like or prefer, and people then provide input based on what they find important. While it might seem like this approach aligns with the usability driver, there are multiple flaws with this approach because you are only going to satisfy a subset of people whose preference aligns with the convention.
Instead, we recommend using a three-step methodology that enables organizations to:
- Document all known constraints
- Develop and evaluate all possible username conventions
- Review, make recommendations, and plan for next steps
To learn more about implementing account user conventions using this three-step methodology, be sure to download Definitive Guide to Account Username Conventions. The guide provides step-by-step instructions for how to develop an account username convention using the three-step methodology, as well as all the tools necessary for success, including:
- Best practices
- List of common username constraints
- A cheat sheet to help you develop your own account username convention