We use the New Universal Login, have set up passwordless login using email, and have disabled the “sign-up” option.
I noticed that if I enter an incorrect email address, meaning one that we do not have a user for, then it still asks for a code without an error message on the login widget saying that the user doesn’t exist.
Is that intended and recommended, or is there a way to configure a message such as “Invalid user”?
Solution
Unfortunately, this is the default behavior in New Universal Login that cannot be changed. The Classic Universal Login acts differently, and you can customize the error message. Although, the error message is a fallback that covers any errors apart from the ones in the list you see here:
In the New Universal Login, this was done on purpose to prevent enumeration attacks. However, feel free to log a feature request here: