How does account enumeration impact passkey login flows?

Account enumeration refers to a type of cyber attack where attackers determine if a particular account or email address exists on a service, often by observing how the login system responds to different inputs. Managing this risk significantly influences the choice between identifier-first passkey flows and separate passkey buttons:

• How they work: Users enter their email or username first, and if a valid passkey exists, the login automatically proceeds.
• Account enumeration risk: High. Attackers can infer whether an email or username exists based on how the system reacts (for example, if it triggers a passkey prompt only for known accounts).
• Mitigation strategies:
  • Use generic error messages (e.g., "If an account exists, instructions were sent to your email").
  • Implement rate limiting and bot-detection measures.
  • Utilize advanced intelligence tools (like Corbado’s Passkey Intelligence) to ensure passkey prompts only appear when successful login is highly probable, minimizing exposure.

• How they work: Users proactively click a dedicated passkey login button; authentication starts only if a passkey exists.
• Account enumeration risk: Significantly reduced. Since the passkey process initiates only after the user explicitly selects this option, there's less opportunity for attackers to deduce account validity from passive system responses.
• Challenges:
  • Typically, lower adoption rates as users might overlook or bypass this button out of habit.
  • May require additional UX efforts (like strategic prompts) to encourage usage.

Organizations must balance security with usability:

• Choose identifier-first flows if:

  • High login convenience and user experience are prioritized.
  • You're equipped with advanced security layers to manage enumeration risks effectively.

• Choose separate passkey buttons if:

  • Account enumeration risk is a critical security concern.
  • You're in a highly regulated environment or need extra protection against enumeration attacks.

Ultimately, the decision depends on your organization's specific security posture, user expectations, and available technological mitigations.