User enumeration protection
17.2.4.4. User enumeration protection in the public self-service flows

Public self-service flows may be configured to mitigate user enumeration attacks by not providing details about failures to the caller. This ensures that an attacker cannot distinguish an existing identity from a non-existing identity.

User enumeration protection is enabled by the default in the provided Restriction plugins (Default Password Reset Restrictions, Default Self-Unlock Restrictions) but requires the flow to contain an identity verification step.

Flow Step
Behavior if no restriction prevents the flow
Behavior if at least one restriction prevents the flow
Comments
User Identification Step
Succeeds with 200 OK
Succeeds with 200 OK
The REST responses are identical in both cases.
Email Identity Verification Step
An email OTP is sent to the user.
Any incorrect OTP is rejected and the flow is aborted after the configured number of retries.
A correct OTP is accepted and the flow will continue.
No email OTP is sent to the user.
Any OTP is rejected and the flow is aborted after the configured number of retries.
The negative REST responses and the number of retries are identical in both cases.
SMS Identity Verification Step
Sends an OTP to the last used number (no number selection).
Flow continues if correct OTP is provided.
Does not fail if the user does not exist or no phone number is available.
Rejects all OTPs so the step can never be completed successfully.
 
Secret Questions Identity Verification Step
Ask answers to secret questions.
Proceed if the answers are correct.
Does not fail if the user does not exist or if no answers are stored for the user.
Rejects all answers so the step can never be completed successfully.
 
Table 26: Detail behavior of selected steps:

Public self-service flows can be configured to provide detailed user feedback in case some of the restrictions prevent the flow.

  • Be aware that enabling user feedback on the flow restrictions plugin allows user enumeration, as this allows an attacker to distinguish between existing and non-existing user accounts.
  • User enumeration protection is limited to flows using the User Identification Step as first and an identity verification step providing username enumeration protection as the second step (see table above). Other flows steps may also provide user enumeration protection. Please review the plugin documentation for details.
  • If a flow configuration deviates from the above and one of the first two steps in the flow does not provide protection against username enumeration, user enumeration protection is not guaranteed.