Security and Privacy/Security Best Practices

Preventing User Enumeration

This guide describes how to prevent user enumeration, a security vulnerability that allows attackers to enumerate users by checking for the presence of valid usernames or email addresses.

Overview

User enumeration attacks occur when an attacker is able to determine whether a specific user account exists in your system by analyzing error messages. To protect user's privacy and prevent these attacks, Descope provides built-in mechanisms to hide sensitive information and control error-handling behavior.

Hide Sensitive Information for Password Authentication

When using password-based authentication, you can prevent attackers from guessing valid user accounts by hiding detailed error messages.

On the Authentication Methods --> Passwords page of the Descope Console, toggle on Hide sensitive error information.

Hide sensitive error information

When this option is enabled, Descope will return generic error messages for failed password logins instead of revealing whether the issue was due to an invalid user or incorrect password. This helps protect against user enumeration attacks by not confirming the existence of accounts.

Customize Error Handling

By default, Descope provides automatic handling for authentication errors. However, you can also customize how errors are handled in your flow to protect against user enumeration:

In the Flow editor, open the relevant action (e.g., Sign Up or In / OTP / Email) and configure the Error Handling step.

Under handling, select Mitigate. This will handle the error silently, and proceed as if the step was successful. This is useful when you want to hide the cause of an error but continue the flow (e.g., display a generic "If this account exists, you'll receive an email" message).

Mitigate Error Handling Mitigate Error

By customizing error handling, you can ensure that your users receive consistent, generic messages while preventing attackers from learning which part of the authentication process failed.

You can apply this error handling configuration to any authentication method action within your flow.

Was this helpful?

On this page