Enable email enumeration protection
This guide shows you how to enable email enumeration protection.
Overview
Email enumeration is a type of brute-force attack in which a malicious actor attempts to guess or confirm users in a system by passing an email address to the API and checking the response.
In the examples that follow, email enumeration protection is disabled. Identity Platform returns information that can be used in an email enumeration attack:
An attempt is made to sign in with an email address that doesn't exist in the system. Identity Platform returns an
EMAIL_NOT_FOUND
error.An attempt is made to sign up with an email address that already exists in the system. Identity Platform returns an
EMAIL_EXISTS
error.
You can use Identity Platform's email enumeration protection feature to protect user accounts in your app from these attacks. Email enumeration protection offers the following features:
- Invalid sign-in cases return an
INVALID_LOGIN_CREDENTIALS
error response. Invalid sign-up cases returnEMAIL_EXISTS
. - Removes error responses for email verification flows. If the email address exists, a verification email is sent. If it does not exist, a verification email is not sent. We recommend that you do not allow users to sign up without an email verification flow.
- Disables the ability for users to change their email address without first verifying the new address.
- Disables listing of sign-in methods for a specified email address when calling
createAuthUri
.
Enable email enumeration protection
To enable email enumeration protection, follow these steps:
In the Google Cloud console, print an access token for your project ID using the
gcloud auth print-access-token
command:gcloud auth print-access-token --project=PROJECT_ID
Enable email enumeration protection for your project ID using the Identity Toolkit API:
curl -X PATCH -d "{'email_privacy_config':{'enable_improved_email_privacy':"true"}}" \ -H 'Authorization: Bearer ACCESS_TOKEN' \ -H 'Content-Type: application/json' -H 'X-Goog-User-Project: PROJECT_ID' \ "https://identitytoolkit.googleapis.com/admin/v2/projects/PROJECT_ID/config?updateMask=email_privacy_config"
Replace the following:
- ACCESS_TOKEN: the access token you generated earlier
- PROJECT_ID: your project ID
Disable email enumeration protection
To disable email enumeration protection, follow these steps:
In the Google Cloud console, print an access token for your project ID using
gcloud auth print-access-token
command:gcloud auth print-access-token --project=PROJECT_ID
Disable email enumeration protection using the Identity Toolkit API:
curl -X PATCH -d "{'email_privacy_config':{'enable_improved_email_privacy':"false"}}" \ -H 'Authorization: Bearer ACCESS_TOKEN' \ -H 'Content-Type: application/json' -H 'X-Goog-User-Project: PROJECT_ID' \ "https://identitytoolkit.googleapis.com/admin/v2/projects/PROJECT_ID/config?updateMask=email_privacy_config"
Replace the following:
- ACCESS_TOKEN: the access token you generated earlier
- PROJECT_ID: your project ID
Example of an error response
If a user attempts to sign in with an incorrect email address or password, or attempts to sign up with an email address that already exists in the system, Identity Platform returns an error similar to the following:
{
"code": "auth/internal-error",
"message": "{\"error\":{\"code\":400,\"message\":\"INVALID_LOGIN_CREDENTIALS\",\"errors\":[{\"message\":\"INVALID_LOGIN_CREDENTIALS\",\"domain\":\"global\",\"reason\":\"invalid\"}]}}"
}