17.2.2.15. User enumeration protection

User enumeration protection prevents attackers from finding out whether a user account with a given username exists or not.

This is especially relevant for public interfaces such as the authentication REST API.

User enumeration protection is achieved by not revealing what went wrong in a user-identifying step ("Stealth Mode"). Activation of user enumeration protection is configurable.

With user enumeration protection active, all respective failures (wrong passwords, not existing or locked user accounts, etc.) are answered with the same generic error code: AUTHENTICATION_FAILED. It also terminates the session on Airlock IAM and Airlock Gateway (WAF).

User enumeration protection cannot be combined with the Temporary Locking feature. It is recommended to configure a Fixed Response Duration for failed responses to prevent timing attacks.