Username Policies: Best Practices

To balance ease of use with industry best practices around usernames, please consider the following.

Best Practices for Usernames

• A System Unique Identifier such as 'employeeID' or 'studentID'.

• First Initial, Last Name (On Username collisions append letters or numeric values)
• Last Name, First Initial
• Full First, Full Last
• Combination of Last Name and Unique ID

Things to take into consideration when determining Usernames Policies:

• If the source system has a username that is generated then it is recommended to use that username. i.e. OneRoster
• Username Delivery
  • How does the end user receive the username? If it is their SIS Username they SHOULD know it, which is why that is recommended. However, for other options the end user will need to be told their username. Email, text messaging are options, but not for students all the time. For students it is recommended for our system to use QR codes, which can contain the username/password or just the username.
• Complexity
  • Users should not be forced to use something that is complex to enter a system. It is their first experience with a system and a bad login experience will only lead to frustration.
• Username Collision
  • It happens quite frequently that users may have the same first name i.e. John Smith. JSmith1, JSmith2, JSmith3 etc… It is a best practice to avoid this.
• Re-using Usernames
  • This falls into a different category, but it is suggested that usernames are not re-used for a certain period of time in the event that they are used for an email platform you do not want someone gaining access to another person’s email.