1

My partner and I are arguing about our auth system. They believe that obfuscating the existence of another account (by showing a generic error) is preferable to surfacing an error warning about account name collision. I argue that this is a way to get users to go away and not come back.

Relatedly, I suggest the pattern of obfuscating email (which also must be unique) availability in the "forgot password" confirmation, but they argue that if we're not obfuscating existence on sign-up, it's asinine to obfuscate on recovery. I kind of have to agree, but I'm curious why sites like microsoft follow that pattern.

I had to send a password reset today and they said, "If [blah] matches the email on your account, we'll send you a code", but I just tried to make an account with the same email and it said, "[blah] is already a Microsoft account." I feel sure I've seen this pattern elsewhere, too. What's the benefit of obfuscating one and not the other?

jugglervr
  • 111
  • 1
  • Related: [Should I let a user know they have entered an unknown user name or email address?](https://security.stackexchange.com/questions/62937/should-i-let-a-user-know-they-have-entered-an-unknown-username-or-email-address) – John Wu Apr 08 '22 at 01:10

0 Answers0