Avoid verification code emails when the user is not registered
Azure B2C is gives a false impression that the user is in the directory when they try to reset their password.
Following is steps in reset password:
1) User clicks the Reset Password link
2) B2C presents a page with “Email Address” field and says “Verification is necessary. Please click Send button.”
3) User enters his email address and clicks “Send Verification Code”
4) B2C sends the verification code this that email address (Even if no user is associated with that email address. This is where the user thinks he is registered with the system)
5) Now the user enters the verification code he received and click “Verify Code”
6) B2C validated the code and says “E-mail address verified. You can now continue” (This is the step where they become confident that they exist in the system)
7) Now when the users click “Continue” they get the error “An account could not be found for the provided user ID.” As given in the screenshot.
Confirming an email that is not associated with a user completely confuses them. We already encountered many users who are facing this issue.
If this was a conscious decision to try to prevent attackers from knowing whether the account exists, It would be reasonable to have the email sent to the user inform the user that no account could be found (rather than sending a pin)
Not currently planned for the next 6 months, but it is in our roadmap.
Carlos Ortega commented
I'm checking in once again. Any updates? When might we expect remediation?
Megan A. commented
It is boggling that this process functions this way and we have no way to fix it. With our custom styling, the user can get both a failure message (couldn't find the account - not a B2C user) AND a success message (your email is verified, you can now change your password). As others have stated, there is 0 reason to verify the email if they can't reset the password because it isn't a registered B2C user. It isn't just bad for security reasons, it's horrible for user experiences as we're migrating more public-facing apps to the cloud that include profiles from the previous versions and they miss that they need to technically register their emails again. We went live with a new app that's had at least two known users try the reset process without registering first. They should be short-circuited out if they're not registered first. I can't think of any other password reset I've done with any site or application that doesn't first verify you're a user before utilizing any sort of 2F authentication. How this went live as it did makes zero sense, and if I'd known this is how the reset process functions beforehand I would've recommended we not go live until it is fixed.
Can you please confirm timelines on this as it's confusing a lot of our users who are having logging in issues
Any update on this feature.
This actually seems like a security issue. Saying an email has been sent on the web page is fine, but actually sending the code to an email address that was never registered in the first place is exposing information about the system to an unregistered user. An attacker could enter an email address they have access to as part of attempting to footprint the system, for example.
rohit chouhan commented
Leo Davidson commented
I think this should be a higher priority. It is possible for a malicious user to basically spam any email address with the verification emails. I agree that B2C should not present an 'account not found' message that exposes whether an account actually exists or not but it should not send a useless verification email to any address a user types in. eg firstname.lastname@example.org, :-)
Carlos Ortega commented
Are there any updates? Where on the roadmap or list of priorities does this issue fall?
David Zimmerman commented
Any update on timelines for this feature?
We also need this feature since it confuses user whether they are registered or not.
Please prioritize this.