What is the easiest way to show “User already exists” error on Sign Up?
We use customized Universal Login (Lock.js library).
I saw this reasoning for showing generic error for “User already exists” situation Custom sign up error message for user that already exists - #2 by Kris.B, however I am less affected by user enumeration threat (I don’t want to disclose details) and I need to provide better user experience.
I wanted to follow up to agree with Kris’s original post which I will include below.
To return a message indicating that the email address or user already exists would expose the application to user enumeration. User enumeration allows potentially malicious third-parties to learn the usernames and/or email addresses of legitimate users, which the third party can then use to attempt to gain access to user accounts through guessing passwords, brute force attacks, or matching usernames to a list of passwords leaked from other services.
Please see here for some additional information on OWASP recommendations regarding user enumeration.
To do otherwise poses a security risk which I wouldn’t be able to recommend. Thanks for your understanding on this front.
I appreciate following all security recommendations, however it’s just a bad user experience. At least, 2 big companies shows “User already exists” error (Google and Facebook).
What if we want provide the same user experience? Could you reply to my initial question, please?
Under Tenant Settings → Advanced there is “Use a generic response in public signup API error message”. If you disable this it will return the type of error message that can open you up to user enumeration attacks. I think Lock will display the returned message by default but you might need to do a small amount of work to get it working. Please let me know if you run into problems with that.