User Enumeration Protection

Prevent attackers from discovering which email addresses are registered in your system.

What is User Enumeration?

User enumeration is an attack where an attacker determines whether a specific email address has an account in your system. This information can then be used for:

  • Targeted phishing: Knowing which emails are valid helps craft convincing phishing emails
  • Account takeover: Focus password attacks on known accounts
  • Privacy violation: Revealing user presence in sensitive apps (dating, health, etc.)
  • Competitive intelligence: Discover which companies/employees use your competitor's service

⚠️ Risk: Without protection, login errors like "Email not found" or "Incorrect password" reveal account existence.

Common Enumeration Vectors

❌ Vulnerable: Different Error Messages

json

Attack: Attacker can test emails and know which ones are registered based on different error messages.

❌ Vulnerable: Timing Attacks

plaintext

Attack: Response time differences reveal whether account exists.

❌ Vulnerable: Registration Endpoint

json

Attack: Try to register with target email; error confirms account exists.

❌ Vulnerable: Password Reset

json

Attack: Password reset reveals account existence.

AuthCore Protection

When user enumeration protection is enabled, AuthCore implements multiple layers of defense:

✅ Protected: Consistent Error Messages

json

Same generic message regardless of whether email exists.

✅ Protected: Constant-Time Comparison

typescript

Response time is the same whether account exists or not.

✅ Protected: Silent Password Reset

json

User doesn't know if email was found or not.

✅ Protected: Registration Handling

json

Suggests email verification without confirming registration status.

Configuration

Enable Protection

typescript

💡 Tip: This setting is enabled by default. Only disable if you have a specific reason.

Trade-offs

✅ Pros

  • Prevents account discovery
  • Reduces phishing effectiveness
  • Protects user privacy
  • Complies with security best practices

⚠️ Cons

  • Users don't get specific error feedback
  • Slightly more confusing UX (trade-off for security)
  • Password reset doesn't confirm email existence

When to Disable

In most cases, you should keep this protection enabled. Consider disabling only if:

User Experience Priority

You value explicit error messages over security and accept the enumeration risk.

Low-Risk Applications

Non-sensitive public apps where account discovery has minimal impact.

Public Directory

App already has a public member directory, so accounts are discoverable anyway.

⚠️ Warning: For sensitive applications (healthcare, financial, dating), always keep protection enabled.

Best Practices

✅ Always Enable in Production

Default to protected mode unless you have a compelling reason not to.

✅ Combine with Rate Limiting

Even with protection, rate limit login/registration attempts to slow down enumeration attacks.

✅ Use Clear UX Copy

Generic errors can confuse users. Use helpful language: "Please check your email and password" instead of just "Invalid credentials."

✅ Offer Password Reset Prominently

Show "Forgot password?" link on login to help users who genuinely don't remember their password.

✅ Monitor Failed Attempts

Track failed login patterns in audit logs to detect enumeration attempts.

UX Recommendations

Login Error Message

plaintext

Password Reset Message

plaintext

Related

Account Lockout →

Complement with brute force protection

AuthForm Component →

UI that implements protected patterns