The application I'm trying to develop targets two kinds of users. The *real* user of the system uses the full core functions of the application, while another set of targeted users has limited access to certain functions of the system.
Issues: the public user may, or may not have an email address. (I thought of SMS verification as they're more likely to have mobiles, but that's not guaranteed.) The public user might use the system only once, or may do so again in the near future, cannot say which. Demographics are provided by these public users, some of which may change over time. I intend to extend auth_user tables for the "core" user but I'm not sure if I should allow public users with email addresses to register in auth_user as well. Use case is very different. And how do I deal with public users without email addresses who may want to use the system again in the future? I am playing with the idea of asking the public user without email addresses to authenticate by asking them a random question based on demographics they previously provided and/or add a "security question" option. They still don't get to log in by I could like set a session variable if they successfully answer the random question/security question. Looking forward to hearing your inputs. Thanks. /r Nik
