GDPR concern about error message during signup/signin

NHering22101 106 Reputation points
2021-04-03T13:21:51.91+00:00

I am using Microsoft B2C with the default sign in and sign up flow and run the following scenario

  1. sign up user with email ******@x.com and sign in
  2. sign out
  3. try to sign up again user ******@x.com

Regardless of whether I enter the password created at step 1 or not, I will get the error message "A user with the specified ID already exists. Please choose a different one.".

This means that anyone using a public app which uses B2C for authentication and only by knowing somebody's email, can find out whether that email exists in the b2c tenant or not.

In a similar manner, if I try to sign in with an existing account but wrong password I am getting a different error message ("Your password is incorrect") than if I sign in with an email that does not exist in my b2c userbase ("We can't seem to find your account").

I would prefer to be able to have generic messages, such as "Your email address or password is incorrect." in case of the sign in.

Do you have a way to address the above issue? How can I change my sign up and sign in error messages so that I don't expose this information to my end user?

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,871 Reputation points Moderator
    2021-04-07T10:53:31.433+00:00

    Hi @NHering22101 · Thank you for reaching out.

    You have 2 options here:

    1. Configure your Signup/Signin policy to require email verification. In that case, a user would be required to enter the verification code to prove his ownership of the email account before trying to signup for an account in Azure AD B2C. Without entering the validation code, a malicious user won't be able to attempt signup.
      85230-image.png
    2. Configure UserMessageIfClaimsPrincipalAlreadyExists parameter in the custom policy with desired message to display, as shown below: <LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfClaimsPrincipalAlreadyExists">An error occurred. Please choose a different account.</LocalizedString>

    Read more: https://learn.microsoft.com/en-us/azure/active-directory-b2c/localization-string-ids#sign-up-and-self-asserted-pages-example

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.