Comment by extra88
15 minutes ago
How would you avoid that? How would someone exploit that information? The whole point of the other auth means are that they're more secure.
15 minutes ago
How would you avoid that? How would someone exploit that information? The whole point of the other auth means are that they're more secure.
If someone enters a username that doesn't exist in the system then you randomly prompt for password or alternate method, so it looks like an account may exist.
Username enumeration isn't usually considered a vulnerability, but it does make other attacks, like credential stuffing, easier. I.E. you can focus attack resources on usernames that have active accounts.
It's very low on my list of concerns though, usually there's much worse problems when I pentest.