Show "User already exists" error on Sign Up?

What is the easiest way to show “User already exists” error on Sign Up?
We use customized Universal Login (Lock.js library).

I saw this reasoning for showing generic error for “User already exists” situation Custom sign up error message for user that already exists - #2 by Kris.B, however I am less affected by user enumeration threat (I don’t want to disclose details) and I need to provide better user experience.

Hey there @ant,

I wanted to follow up to agree with Kris’s original post which I will include below.

To return a message indicating that the email address or user already exists would expose the application to user enumeration. User enumeration allows potentially malicious third-parties to learn the usernames and/or email addresses of legitimate users, which the third party can then use to attempt to gain access to user accounts through guessing passwords, brute force attacks, or matching usernames to a list of passwords leaked from other services.

Please see here for some additional information on OWASP recommendations regarding user enumeration.

To do otherwise poses a security risk which I wouldn’t be able to recommend. Thanks for your understanding on this front.

Hi James,

I appreciate following all security recommendations, however it’s just a bad user experience. At least, 2 big companies shows “User already exists” error (Google and Facebook).

What if we want provide the same user experience? Could you reply to my initial question, please?

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Hi @ant

Under Tenant Settings → Advanced there is “Use a generic response in public signup API error message”. If you disable this it will return the type of error message that can open you up to user enumeration attacks. I think Lock will display the returned message by default but you might need to do a small amount of work to get it working. Please let me know if you run into problems with that.

3 Likes

Thanks for following up on that Thomas!