I’m currently using monero addresses as the sole authentication method for a custodial service, similar to how mullvad VPN has a single account number to authenticate. My understanding is that these are unique, and impossible to guess. For a custodial service, this makes withdrawing user funds trivial as well.
Can anyone tell me why this is a bad idea?
The nature of Monero address is public (it can be used publicly to receive xmr), and you don’t want to use a public string as a secret password. Practically, though, if it’s possible for you to keep it absolutely secret and safe, you’re free to do so at your own risk.
If it’s the main address starting with “4” and later you happen to decide having fun p2pooling using the same address, then obviously that’s not good. To avoid unnecessary worries, perhaps making it a random string, like @Unkn8wn69 said, is a good idea.
Technically, since the string length of a monero address (hence the name space) is finite, it’s not guaranteed to be unique, though the probability of collision is vanishingly small and this won’t be a real concern at all.