What is the easiest way to show “User already exists” error on Sign Up?
We use customized Universal Login (Lock.js library).
I saw this reasoning for showing generic error for “User already exists” situation Custom sign up error message for user that already exists - #2 by Kris.B, however I am less affected by user enumeration threat (I don’t want to disclose details) and I need to provide better user experience.
Hey there @ant,
I wanted to follow up to agree with Kris’s original post which I will include below.
To return a message indicating that the email address or user already exists would expose the application to user enumeration. User enumeration allows potentially malicious third-parties to learn the usernames and/or email addresses of legitimate users, which the third party can then use to attempt to gain access to user accounts through guessing passwords, brute force attacks, or matching usernames to a list of passwords leaked from other services.
Please see here for some additional information on OWASP recommendations regarding user enumeration.
To do otherwise poses a security risk which I wouldn’t be able to recommend. Thanks for your understanding on this front.
Hi James,
I appreciate following all security recommendations, however it’s just a bad user experience. At least, 2 big companies shows “User already exists” error (Google and Facebook).
What if we want provide the same user experience? Could you reply to my initial question, please?
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.
Hi @ant
Under Tenant Settings → Advanced there is “Use a generic response in public signup API error message”. If you disable this it will return the type of error message that can open you up to user enumeration attacks. I think Lock will display the returned message by default but you might need to do a small amount of work to get it working. Please let me know if you run into problems with that.
Thanks for following up on that Thomas!