network
network copied to clipboard
ory
Configurable Account Enumeration protection in Account Experience
Preflight checklist
- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's Code of Conduct.
- [X] I have read and am following this repository's Contribution Guidelines.
- [X] This issue affects my Ory Network project.
- [X] I have joined the Ory Community Slack.
- [X] I am signed up to the Ory Security Patch Newsletter.
Describe your problem
In the default Ory Account Experience, if the user attempts to register with an email address that has already been used, the user receives the following error message, "An account with the same identifier (email, phone, username, ...) exists already".
As a result, your project is vulnerable to Account Enumeration.
Account enumeration is a common vulnerability that allows an attacker who has acquired a list of valid usernames, IDs, or email addresses to verify whether or not a user exists in a system.
I logged this issue as a feature request, but you may want to change it to a bug if the current behaviour is not intended.
Describe your ideal solution
https://www.ory.sh/docs/kratos/self-service talks about attackers being able to exploit account enumeration and how Ory Identities applies best practices established by experts.
So ideally, if the user attempts to register with an email address that has already been used, the application would behave in the same way as if the email address has not been used yet i.e. display a success message and trigger an email.
The only difference is that the email content is conditional on whether an account exists already or not. If the account already exists, then the email can provide login or recovery links.
Workarounds or alternatives
Bring your own UI.
Version
Ory Network
Additional Context
No response
Fully agree, we must change the behavior of the default implementation in Ory Account Experience. Added to the near-term backlog. Thanks for the report!
Absolutely :) To extend Klaus‘ answer - preventing account enumeration has poor user experience and there are many flows that need to be covered - not just login, but also updating emails, social sign up, and so on. Having a configuration that prevents account enumeration will come with a lot of draw backs, so it’s best to only use it if your threat model says that it’s required!
