Overview
The password reset flow on New Universal Login does not indicate when a user does not exist. This appears confusing to users, who then wait in their inbox for an email.
Applies To
- New Universal Login
- Notification
- Password Reset Flow
Solution
This behaviour is by design to prevent user enumeration attacks, i.e., cyber criminals should not have a means of testing whether a user exists or not in Auth0. The tenant logs will indicate that the user does not exist.
As a workaround, customers can amend the wording of the message on New Universal Login from “Please check for instructions to reset your password.” to something like “If you have an account, you will receive an email to reset your password”. This may help avoid any confusion for end users and stay true to the security element.