Suppose you have a sign in form which first accepts an email address and then proceeds to MFA steps. If you enter an email which does not match one in the system you get an error. "No matching account found" or whatever. Conversely if you enter an email which matches, you progress to the next screen. In this way you can know whether or not a particular email address is registered with the service.
What would be an alternative approach that doesn't reveal this information?
@andrewfeeney You could let the user always progress to the MFA step, and let them "fail successfully" on there. If the account does not exist, you could loop the MFA with "invalid code"-errors, while in reality there is no validation at all. This does come at the expense of "clouding" the real issue when legit users run into this error..
Or you could send the link to the MFA page to the mail, and have the user open this to proceed after the 1st step.
Just some ideas, not that great but yeah...
@andrewfeeney
Always go to second screen, with error message "account verification failed" or "wrong account or (verification)" (not sure how to properly refer to MFA here)
@viq So you have to essentially pretend the account exists and accept an MFA code or whatever. Then presumably make sure the request takes the same amount of time as a real one?
@andrewfeeney
This may be a situation where having username and password together on first page, and second factor later may be easier, because then you can just say "account and password don't match", leaving only potentially timing analysis to figure out whether account exists or not.
@codebyjeff
If you'redesigning authentication system, do you need to? Authentik, Keycloak, Authelia, ORY Hydra do a pretty good job of that, doing a lot of protections you probably didn't think of. And then you "just" need to add OIDC or SAML to your application. @andrewfeeney
Add comment