Username enumeration issue
We have noticed that when trying to log in with a user that does not exist, a "No account found with this email" error message displays on the login screen.
This is problematic because in cases where they do exist, different behaviour applies and you are directed to the password screen.
This means it is possible to determine which usernames are valid based on the absence of the error message, and could then lead to increased numbers of malicious attempts on that user because it is shown to be valid.
Is it possible to configure Kinde so that you are always directed to the password screen, whether the username exists or not?
If it is not possible, please could I raise this as a strong suggestion, since it is fairly basic security best practice.
4 Replies
Hi Dan,
Thank you for bringing this to our attention. I understand the security implications of the current login behavior, and I appreciate your suggestion.
I’ll raise this to our team to assess whether it’s possible to configure Kinde to direct users to the password screen regardless of the username's existence. Once I have more information or updates, I’ll get back to you promptly.
Please let me know if there’s anything else you’d like me to include when escalating this.
Hey Dan. We should have an enumeration attack protection feature out within a week or two.
Thanks @Zaki and @CB_Kinde — please could you comment on here when the feature is available and let me know how to use it? Thanks
Hi @Dan,
Thanks for your message! Noted — we’ll make sure to get back to you here once the feature is live. Let me know if there’s anything else in the meantime.