Looking at the docs on breached password detection, it is not clear how the breached password detection detects the user’s credentials in the scenario where the user’s email attribute is not used in the database connection.
If a user with an email and username has an email-password set that is considered compromised but they log in on a connection that only accepts username as an attribute - will the breach password detection use their username-password combo, email-password or both to determine whether to block the login?
Ideally I would hope that the user’s email is still used even if it wasn’t the attribute used in the login since it clearly is associated with the account.
The Breached Password Detection feature generally focuses on passwords that have been breached, that have been made public and are vulnerable. I believe that the confusion might come from the fact that multiple times in our docs we refer to " user credentials ". This does hold true, if the system detects a username(or email)/password combination that appeared in a data breach, a user with those credentials will not be able to login, as described in this documentation.
The main focus of the feature are the passwords - if a breached password is used ( regardless of it being combined with a username or an email ) and you have enabled the system to block compromised user accounts, the user with that password will not be able to login. ← In this doc’s example for a testing scenario, it’s stated : Go through your login flow and submit the identifier and password that you assigned.
Hopefully I was able to clear our some details for you!