Username enumeration issue
We have noticed that when trying to log in with a user that does not exist, a "No account found with this email" error message displays on the login screen.
This is problematic because in cases where they do exist, different behaviour applies and you are directed to the password screen.
This means it is possible to determine which usernames are valid based on the absence of the error message, and could then lead to increased numbers of malicious attempts on that user because it is shown to be valid.
Is it possible to configure Kinde so that you are always directed to the password screen, whether the username exists or not?
If it is not possible, please could I raise this as a strong suggestion, since it is fairly basic security best practice.
This is problematic because in cases where they do exist, different behaviour applies and you are directed to the password screen.
This means it is possible to determine which usernames are valid based on the absence of the error message, and could then lead to increased numbers of malicious attempts on that user because it is shown to be valid.
Is it possible to configure Kinde so that you are always directed to the password screen, whether the username exists or not?
If it is not possible, please could I raise this as a strong suggestion, since it is fairly basic security best practice.
