Username enumeration issue
We have noticed that when trying to log in with a user that does not exist, a "No account found with this email" error message displays on the login screen.
This is problematic because in cases where they do exist, different behaviour applies and you are directed to the password screen.
This means it is possible to determine which usernames are valid based on the absence of the error message, and could then lead to increased numbers of malicious attempts on that user because it is shown to be valid.
Is it possible to configure Kinde so that you are always directed to the password screen, whether the username exists or not?
If it is not possible, please could I raise this as a strong suggestion, since it is fairly basic security best practice.
7 Replies
Hi Dan,
Thank you for bringing this to our attention. I understand the security implications of the current login behavior, and I appreciate your suggestion.
I’ll raise this to our team to assess whether it’s possible to configure Kinde to direct users to the password screen regardless of the username's existence. Once I have more information or updates, I’ll get back to you promptly.
Please let me know if there’s anything else you’d like me to include when escalating this.
Hey Dan. We should have an enumeration attack protection feature out within a week or two.
Thanks @Zaki and @CB_Kinde — please could you comment on here when the feature is available and let me know how to use it? Thanks
Hi @Dan,
Thanks for your message! Noted — we’ll make sure to get back to you here once the feature is live. Let me know if there’s anything else in the meantime.
Hey there,
The enumeration attack protection feature is now live.
You can read about it here.
Let me know if you have any questions.
Kinde docs
Configure attack protection
Our developer tools provide everything you need to get started with Kinde.
@Zaki @CB_Kinde @Oli - Kinde — thanks for implementing this so quickly! I've just added it to our accounts and it's working as expected.
I do think that as a best practice this should be implemented as a default and more of your other users would benefit from it, but I'm glad we've at least been able to implement it. Thanks
Very pleased to hear it @Dan we do agree it's best practice to have this on, but shipping with it on by default was risking breaking changes for some customer's auth.