I solved this problem by adding this piece of code in my authentication method:

// **sentry/config.php**: 'login_attribute' => 'first_name'
$user = Sentry::findUserByLogin($username);
            if ( $user["attributes"]["first_name"] !== $username ) {
                throw new Cartalyst\Sentry\Users\UserNotFoundException;
            }

This basically gets user object and compares "first_name" attribute with given username. Something so trivial I can't believe Sentry doesn't have this option enabled by default...

Why should a first name be capitalized correctly? What does it achieve for the website to have this constraint?

fquist said:

Why should a first name be capitalized correctly?

Because it is the only login attribute and it is used as a username?

fquist said:

What does it achieve for the website to have this constraint?

Higher level of security?

Assuming your users names are available publicly (via profiles for example) this provides no security benefit and even if their names are private checking for case provides no tangible security benefit, almost every user is going to input their name as either "John or "john" and if a person wishes to attempt to compromise an account they will try those common patterns. The more likely situation that this policy will cause is one in which someone forgets how they typed their name (John vs. john) and gets frustrated and angry at your website for telling them their details are wrong when they know they are right.

Assuming your website is going to have more than a few people using it, you're going to run into name collisions within just a few dozen users, I know 3 people off hand that have the same legal name as me. Pick a random name and you can guarantee there's going to be hundreds if not thousands of them, there are over 40,000 James Smith's in the USA for example.

A login identifier (username, email) must be unique to a user.

fquist said:

What does it achieve for the website to have this constraint?

Higher level of security?

Some security measures impact usability, without providing a lot of security benefits. This is one of them. Nobody will intentionally spell their first name as "JoHN" to heighten security. So basically, the measure will mostly punish people for making mistakes (inputting their first name as lowercase, etc).

In my case it is a backend application for a private company, user names are not publicly available, and number of people who will be given access will be around 20.

You are probably right about this, but I just like to do things in a "no margin for error" way.

So, what if they have just one employee called 'John' so it's fine, but then next year they happen to hire a new guy called John as well? Something similar has happened to a company I've worked with that uses first name e-mail addresses, and it causes frustration.

Do as you wish! But 'no margin of error' when there's no real security benefit just makes for grumpy users. Forgive the user when there's no real reason not to. You should read into password security, and you'll see it really makes the slightest difference.

Okay, thanks for the advice.