what is the best practice and principles around using emails as username your web site.
Thanks for you doing the legwork of quoting the standards
I don't like using email as a username. It is too transient. We all change email providers, and at the same time, when I leave a company or a service provider, someone else with the same or similar name could end up with my old email address. In that context, email as a username doesn't work for ISO 27001
On the backend of things email as well as username have to be used by the system, meaning they can't be hashed. That said, it would be nice if they, and any other sensitive data (and what isn't these days?) were encrypted. If we are trying to do this robustly, we're encrypting both on the web/application side and the database side of things. That way, someone has to compromise both servers/hosts to get meaningful personal data.
That might seem overkill - it's just an email address right? But phishing remains remarkably effective and when you can add in other user data (address, phone number, etc.), it can be even more effective.
The not-easy-to-guess username standard I think misses the point. It might be effective against a brute-force attack on the login, but the far better approach is a lockout after X attempts. Plus, if it is hard to guess, it means hard to remember. So the system still needs an email address for each user (to email them their username). This doesn't really shift the risk. The likely attack is someone stealing the database and then being able to key on email addresses, matching them to cracked passwords on other services (because people re-use passwords) or cracking the hashes they just stole. This returns to adding encryption on both the application and database.
That said, I've long encouraged people to not just use unique passwords for every service but also unique email addresses. Not only does that give you some buffer when a database gets stolen, but it also gives you a chance to track just what someone does with your email address as the spam starts to roll in.
So I think I went over my two cents with that response 😉 but this is a good question and I am curious what others see as good or best practice.