Preflight checklist
Describe your problem
(Might be duplicate of #133)
In the passwordless email login flow (method: code, passwordless_enabled: true), account enumeration is possible.
The response returned by Kratos differs depending on whether the identifier exists in the database. We would like to know whether there is a supported configuration option, similar to security.account_enumeration.mitigate for identifier-first authentication, to mitigate account enumeration for passwordless email login (we have tried enabling this setting and, as expected, it does not affect the passwordless code flow).
Observed behavior
Identifier exists
Request:
{
"csrf_token": "<token>",
"identifier": "test@test.com",
"method": "code"
}Response:
{
"messages": [
{
"id": 1010014,
"text": "An email containing a code has been sent to the email address you provided. If you have not received an email, check the spelling of the address and retry the login.",
"type": "info"
}
]
}Identifier does not exist
Request:
{
"csrf_token": "<token>",
"identifier": "nonexistent@test.com",
"method": "code"
}Response:
{
"messages": [
{
"id": 4000035,
"text": "This account does not exist or has not setup sign in with code.",
"type": "error"
}
]
}Describe your ideal solution
Is there a supported or planned configuration setting, comparable to security.account_enumeration.mitigate for identifier-first authentication, that would allow account enumeration mitigation for the passwordless email (code) login flow?
If not, confirmation that this behavior is expected and intentionally unsupported would also be helpful.
Workarounds or alternatives
We have had to disable the Passwordless feature for now.
Version
Kratos self hosted v1.3.1
Additional Context
Environment
| Setting |
Value |
| Ory Kratos |
v1.3.1 |
| Authentication flow |
passwordless email login |
| Login method |
code |
| passwordless_enabled |
true |
Relevant configuration
selfservice:
methods:
code:
enabled: true
passwordless_enabled: true
security:
account_enumeration:
mitigate: true
Preflight checklist
Describe your problem
(Might be duplicate of #133)
In the passwordless email login flow (
method: code,passwordless_enabled: true), account enumeration is possible.The response returned by Kratos differs depending on whether the identifier exists in the database. We would like to know whether there is a supported configuration option, similar to
security.account_enumeration.mitigatefor identifier-first authentication, to mitigate account enumeration for passwordless email login (we have tried enabling this setting and, as expected, it does not affect the passwordless code flow).Observed behavior
Identifier exists
Request:
{ "csrf_token": "<token>", "identifier": "test@test.com", "method": "code" }Response:
{ "messages": [ { "id": 1010014, "text": "An email containing a code has been sent to the email address you provided. If you have not received an email, check the spelling of the address and retry the login.", "type": "info" } ] }Identifier does not exist
Request:
{ "csrf_token": "<token>", "identifier": "nonexistent@test.com", "method": "code" }Response:
{ "messages": [ { "id": 4000035, "text": "This account does not exist or has not setup sign in with code.", "type": "error" } ] }Describe your ideal solution
Is there a supported or planned configuration setting, comparable to
security.account_enumeration.mitigatefor identifier-first authentication, that would allow account enumeration mitigation for the passwordless email (code) login flow?If not, confirmation that this behavior is expected and intentionally unsupported would also be helpful.
Workarounds or alternatives
We have had to disable the Passwordless feature for now.
Version
Kratos self hosted v1.3.1
Additional Context
Environment
Relevant configuration