Problem statement
We are running into some confusion with our clients:
They sign up with Google auth, and forget they used Google oauth and try to enter a username and password to log in. They realize they don’t know their password, so clicked the reset password, which will inform them it sends an email. But the email will never arrive because they don’t have a username/pass account for that specific email.
Is there a way to inform users that the account they are trying to recover does not exist, or change/improve the response message when a user attempts to reset their password?
Cause
The reset password page will always report a successful sending of the email to mitigate enumeration attacks.
Solution
A potential workaround would be to customize the text on the password reset screen to add a note that they may have used a social account to sign in if they do not receive an email, to try to hint to the user they might need to try one of your enabled social connections instead.
For example, you could modify the descriptionEmail
on the Screen: reset-password-request
to be like below:
“Enter your email address and we will send you instructions to reset your password. If you do not receive an email, you may have signed up with your Google account previously, or do not have an account”
Reference
https://auth0.com/docs/customize/universal-login-pages/customize-login-text-prompts