question

NHering22101 avatar image
0 Votes"
NHering22101 asked amanpreetsingh-msft answered

GDPR concern about error message during signup/signin

I am using Microsoft B2C with the default sign in and sign up flow and run the following scenario
1. sign up user with email x@x.com and sign in
2. sign out
3. try to sign up again user x@x.com

Regardless of whether I enter the password created at step 1 or not, I will get the error message "A user with the specified ID already exists. Please choose a different one.".

This means that anyone using a public app which uses B2C for authentication and only by knowing somebody's email, can find out whether that email exists in the b2c tenant or not.

In a similar manner, if I try to sign in with an existing account but wrong password I am getting a different error message ("Your password is incorrect") than if I sign in with an email that does not exist in my b2c userbase ("We can't seem to find your account").

I would prefer to be able to have generic messages, such as "Your email address or password is incorrect." in case of the sign in.

Do you have a way to address the above issue? How can I change my sign up and sign in error messages so that I don't expose this information to my end user?



azure-ad-b2c
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered

Hi @NHering22101 · Thank you for reaching out.

You have 2 options here:

  1. Configure your Signup/Signin policy to require email verification. In that case, a user would be required to enter the verification code to prove his ownership of the email account before trying to signup for an account in Azure AD B2C. Without entering the validation code, a malicious user won't be able to attempt signup.
    85230-image.png

  2. Configure UserMessageIfClaimsPrincipalAlreadyExists parameter in the custom policy with desired message to display, as shown below:

    <LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfClaimsPrincipalAlreadyExists">An error occurred. Please choose a different account.</LocalizedString>

Read more: https://docs.microsoft.com/en-us/azure/active-directory-b2c/localization-string-ids#sign-up-and-self-asserted-pages-example


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (95.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.