GDPR concern about error message during signup/signin

NHering22101 106 Reputation points
2021-04-03T13:21:51.91+00:00

I am using Microsoft B2C with the default sign in and sign up flow and run the following scenario

  1. sign up user with email x@x.com and sign in
  2. sign out
  3. try to sign up again user x@x.com

Regardless of whether I enter the password created at step 1 or not, I will get the error message "A user with the specified ID already exists. Please choose a different one.".

This means that anyone using a public app which uses B2C for authentication and only by knowing somebody's email, can find out whether that email exists in the b2c tenant or not.

In a similar manner, if I try to sign in with an existing account but wrong password I am getting a different error message ("Your password is incorrect") than if I sign in with an email that does not exist in my b2c userbase ("We can't seem to find your account").

I would prefer to be able to have generic messages, such as "Your email address or password is incorrect." in case of the sign in.

Do you have a way to address the above issue? How can I change my sign up and sign in error messages so that I don't expose this information to my end user?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,639 questions
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,306 Reputation points
    2021-04-07T10:53:31.433+00:00

    Hi @NHering22101 · Thank you for reaching out.

    You have 2 options here:

    1. Configure your Signup/Signin policy to require email verification. In that case, a user would be required to enter the verification code to prove his ownership of the email account before trying to signup for an account in Azure AD B2C. Without entering the validation code, a malicious user won't be able to attempt signup.
      85230-image.png
    2. Configure UserMessageIfClaimsPrincipalAlreadyExists parameter in the custom policy with desired message to display, as shown below: <LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfClaimsPrincipalAlreadyExists">An error occurred. Please choose a different account.</LocalizedString>

    Read more: https://learn.microsoft.com/en-us/azure/active-directory-b2c/localization-string-ids#sign-up-and-self-asserted-pages-example

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest