Signing into any service typically involves providing a username to identify yourself and a password to prove that you are who you claim to be. This process is called authentication. With a lot of focus on passwords in the media, we might forget that managing usernames is equally important.

In running the RM Unify identity platform for over 2.2 million students and staff in the UK, we have observed some institutions reusing usernames when a person leaves their organisation - for example, a new joiner is given a leaver's username. In the past, this wouldn't have caused a problem because the only access governed by these usernames was for local resources such as file servers. However, since email and cloud services are now ubiquitous, these usernames have meaning outside the confines of your organisation.

RM Unify aims to keep a user's email address in G Suite and Office 365 in line with their username - this is simpler for the IT admin and the end user. This is particularly true if a school wants to roll out cloud managed devices such as Chromebooks or Windows 10 S as users log into these devices with their email address, so consistency with local username is really important.

Tech industry views on username reuse

In terms of industry best practice, the recommendation is to never reuse usernames within 2 years of a person leaving an establishment. Some organisations have a stronger stance than this, with Google advising never to reuse an email address, ever. Aside from the confusion it can cause, there is a real information security impact. For example, consider a new user receiving email correspondence intended for the old user, or gaining access to data they should not because cloud sharing controls and password recovery are often anchored to email addresses.

Username retention and RM Unify

When an account is deleted in RM Unify, we wait for 9 months before permanently removing their Office 365 and G Suite accounts. More information on this can be found here. If someone new joins within that 9 months and is manually assigned the same username (against best practice!), RM Unify will fail safe by not giving them the corresponding email address - this would give them access to the previous user's email and cloud drive.

The crux of this issue is that RM Unify doesn't know what the intent of the IT admin is, whether a) give a new user access to that same inbox and cloud drive, or b) they should have a new empty account. RM Unify assumes the latter and creates a new, unique email address by appending a sequence number - joebloggs1, joebloggs2, etc. So if you unexpectedly see a sequence number appearing on the end of a username or email address it is because RM Unify has reserved that identifier for a deleted user, to prevent accidental reuse.

Further information

back to top button
back to top button