DEV Community

Discussion on: Implementing Passwordless Authentication in Node.JS

andreasvirkus profile image

Excellent point to bring up! Same goes for signups. You should always say "You'll receive an email" and for existing emails, simply state that "Someone tried to sign up with us. If that was you - Log in here instead"

That way a malicious user/attacker can't enumerate the existing emails at a large scale