In the other scenario, guessing userid can be done remotely where as to get to the AuthID, someone need to be on the user's device. If someone gains access to the user's device there is more to worry than just the AuthID.They can simply install a malware or a bot and capture all the information starting from that point of time.
Now, why we have the userid in the AuthID is.. when a user enters the userid, application needs to check if there is a corresponding AuthID for that userid. There are multiple ways to achieve that instead of storing the userid in AuthID. Few options are..
- encrypt the userid in AuthID but the fact that anything you do on the client can easily be undone by a program.
- The other option is to have a reference id in AuthID and map that referenceid to the userid in the backend. This requires a network call.
Having said that, we can raise the difficulty level bar in getting the userid but we can not completely prevent them. Again, what we are trying to achieve is to secure a non-sensitive information.
Thanks,
Lakshmi.