Andrew Feeney on Nostr: Suppose you have a sign in form which first accepts an email address and then ...
Suppose you have a sign in form which first accepts an email address and then proceeds to MFA steps. If you enter an email which does not match one in the system you get an error. "No matching account found" or whatever. Conversely if you enter an email which matches, you progress to the next screen. In this way you can know whether or not a particular email address is registered with the service.
What would be an alternative approach that doesn't reveal this information?
#InfoSec #WebDev
Published at
2024-02-14 10:36:24Event JSON
{
"id": "4895deb1e7332ab79f21451bf29042797fa600aaac8d4c6dac6a75297a37ad96",
"pubkey": "867a80506182864acc51f26202cc206dac96ab76b7c91ce86cda2e4334ee1a0d",
"created_at": 1707906984,
"kind": 1,
"tags": [
[
"t",
"infosec"
],
[
"t",
"webdev"
],
[
"proxy",
"https://phpc.social/users/andrewfeeney/statuses/111929392124125285",
"activitypub"
]
],
"content": "Suppose you have a sign in form which first accepts an email address and then proceeds to MFA steps. If you enter an email which does not match one in the system you get an error. \"No matching account found\" or whatever. Conversely if you enter an email which matches, you progress to the next screen. In this way you can know whether or not a particular email address is registered with the service.\n\nWhat would be an alternative approach that doesn't reveal this information?\n\n#InfoSec #WebDev",
"sig": "a93cdc5044ffb4fdc9eee92062d9d1842286f30b86ebdb1e28493afe5e97e9e0778d741df9c4b3889ba261eb82c33331c8b59129c0f890412c48cd71de6239a5"
}