Avoid verification code emails when the user is not registered
Azure B2C is gives a false impression that the user is in the directory when they try to reset their password.
Following is steps in reset password:
1) User clicks the Reset Password link
2) B2C presents a page with “Email Address” field and says “Verification is necessary. Please click Send button.”
3) User enters his email address and clicks “Send Verification Code”
4) B2C sends the verification code this that email address (Even if no user is associated with that email address. This is where the user thinks he is registered with the system)
5) Now the user enters the verification code he received and click “Verify Code”
6) B2C validated the code and says “E-mail address verified. You can now continue” (This is the step where they become confident that they exist in the system)
7) Now when the users click “Continue” they get the error “An account could not be found for the provided user ID.” As given in the screenshot.
Confirming an email that is not associated with a user completely confuses them. We already encountered many users who are facing this issue.
If this was a conscious decision to try to prevent attackers from knowing whether the account exists, It would be reasonable to have the email sent to the user inform the user that no account could be found (rather than sending a pin)
Not currently planned for the next 6 months, but it is in our roadmap.
We also need this feature since it confuses user whether they are registered or not.
Please prioritize this.