Avoid verification code emails when the user is not registered
Azure B2C is gives a false impression that the user is in the directory when they try to reset their password.
Following is steps in reset password:
1) User clicks the Reset Password link
2) B2C presents a page with “Email Address” field and says “Verification is necessary. Please click Send button.”
3) User enters his email address and clicks “Send Verification Code”
4) B2C sends the verification code this that email address (Even if no user is associated with that email address. This is where the user thinks he is registered with the system)
5) Now the user enters the verification code he received and click “Verify Code”
6) B2C validated the code and says “E-mail address verified. You can now continue” (This is the step where they become confident that they exist in the system)
7) Now when the users click “Continue” they get the error “An account could not be found for the provided user ID.” As given in the screenshot.
Confirming an email that is not associated with a user completely confuses them. We already encountered many users who are facing this issue.
If this was a conscious decision to try to prevent attackers from knowing whether the account exists, It would be reasonable to have the email sent to the user inform the user that no account could be found (rather than sending a pin)
Not currently planned for the next 6 months, but it is in our roadmap.
This actually seems like a security issue. Saying an email has been sent on the web page is fine, but actually sending the code to an email address that was never registered in the first place is exposing information about the system to an unregistered user. An attacker could enter an email address they have access to as part of attempting to footprint the system, for example.
rohit chouhan commented
Leo Davidson commented
I think this should be a higher priority. It is possible for a malicious user to basically spam any email address with the verification emails. I agree that B2C should not present an 'account not found' message that exposes whether an account actually exists or not but it should not send a useless verification email to any address a user types in. eg email@example.com, :-)
Carlos Ortega commented
Are there any updates? Where on the roadmap or list of priorities does this issue fall?
David Zimmerman commented
Any update on timelines for this feature?
We also need this feature since it confuses user whether they are registered or not.
Please prioritize this.