Same login behavior for non existing users


We are using Auth0 with password less (user receive a pincode in their email).

A user is able to enter an email and got different response if the user exist or not.
With this, a user can narrow registered user list and then be able to proceed a targeted attack.

So, is there a way for password less authentication to always return “An email with the code has been sent to xxx”.
This way an attacker can’t guess a valid account.


Hi @alexandre2,

Welcome to the Auth0 Community!

I understand that you have questions about obfuscating the error message when a user logs in with Passwordless Email Authentication.

To do so, you can modify the languageDictionary's Passwordless error message in your custom Universal login page. See below:

var lock = new Auth0Lock(config.clientID, config.auth0Domain, {
  languageDictionary : {
    error: {
      passwordless: {
        '': 'The email is invalid',
        'bad.phone_number': 'The phone number is invalid',
        'lock.fallback': "We're sorry, something went wrong"
  //... code redacted for brevity

Please see the languageDictionary object for the complete list of available properties.

Please let me know if there’s anything else I can do to help.

Thank you.


But your solution is just “cosmetic”, right ?

If I look into network activity, when I try to log with a non registered email

So I can understand that this email is not registered.

I don’t want someone to be able to guess a registered email.


Hi @alexandre2,

Thank you for your response.

I have looked into your observations further and found the same results. Whenever a valid email address is submitted for a Passwordless email code, there will be the “An email with the code has been sent to EMAIL_ADDRESS” message.

In this case, yes, someone could target an attack on the users. With that, I recommend enabling Attack Protection features such as Bot Detection, Brute Force Protection, and Suspicious IP Throttling.

This way, your users can be protected from attacks and malicious attempts to access your application such as blocking traffic from certain IPs and displaying CAPTCHA.

Please let me know how this works for you.

Thank you.