Auth0 Home Blog Docs

Reset Password - Is Email Always Sent When Message is displayed?

I think the reset password interface is a bit confusing. It seems like the email is not being sent under many conditions, but still indicates that email was sent. I’d like error messages if the user logged in with Gmal and is trying to get the password reset through auth0.

Hey there @codetricity1!

What stack of ours are you using? Is it possible for you to record us a HAR file of the flow so we can see what happens behind the scenes of the browser (it’s for non-mobile scenarios)? If so please record the flow and share it with me via private message:

Hi, @codetricity1

The behavior of displaying a message that the email was sent even when the user was not found is by design.

To return a message indicating that the email could not be sent or the user not found would go against modern security best practices by exposing the application to user enumeration. User enumeration allows potentially malicious third-parties to learn the usernames and/or email addresses of legitimate users, which the third party can then use to attempt to gain access to user accounts through guessing passwords, brute force attacks, or matching usernames to a list of passwords leaked from other services.

Please see here for some additional information on OWASP recommendations regarding user enumeration.

This can sometimes cause confusion for users who sign up to applications with a social identity provider and later forget that they did so, but we take security very seriously and aim to follow current best practices.

This topic was automatically closed after 14 days. New replies are no longer allowed.