Auth0 Home Blog Docs

Lock Message Change

lock

#1

If a user requests a password reset, they’re currently given this message:

WE'VE JUST SENT YOU AN EMAIL TO RESET YOUR PASSWORD.

I understand the security reason to be vague here. You can’t confirm or deny if this email has an account. However, this can be extremely frustrating if a user isn’t sent an email yet the system tells the user an email WAS sent.

I suggest this message be changed to something like below, which neither confirms or denies the account, but also doesn’t tell the user an email was sent if it wasn’t.
If your email was found in our account database, you will receive an email shortly!


#2

We support doing this already out of the box, this is defined by the success.forgotPassword in languageDictionary you can over ride this easy by the following options.


{
     /* Other lock options */
     languageDictionary: {
         success: {
             forgotPassword: 'If your email was found in our account database, you will receive an email shortly!'
         }
     }
}


#3