Feature: Allow New Universal Login / Passwordless login to be configured to show an error message if the provided email doesn’t belong to a user in Auth0.
Description: When using passwordless authentication (email) using the New Universal Login, and with signups disabled, there’s no error message shown if the user enters an incorrect/mistyped email. I understand this has been implemented to prevent user enumeration attacks, but in certain cases that risk may be accepted and it would be useful to have an option to allow an error message to the user, if there’s no user with the provide email in Auth0.
Use-case: Users may get confused when entering a mistyped email, or if they are unsure which email address to provide in the login flow. There’s no feedback to the user that they have potentially entered a wrong email. They are simply taken to the screen where the OTP code is to be entered. The only option the user has is to ask the code to be resent, but that won’t help as the initial email address was incorrect.