Skip to main content
Docs

User enumeration protection

What is user enumeration?

User enumeration is a technique where attackers use failed authentication attempts to determine whether a specific user account exists in an application.

For example, if a user signs in with an identifier that doesn't match an existing account, Clerk tells them no account was found. This is helpful for legitimate users who may not remember if they signed up. However, a malicious actor can exploit these error messages to check whether accounts exist for specific identifiers (like emails or phone numbers) and build a list of valid accounts. This is user enumeration.

Configure user enumeration protection

To remove the ability to determine whether an account exists:

  1. In the Clerk Dashboard, navigate to the Attack protection page.
  2. Enable one of the User enumeration protection settings based on your needs.

How user enumeration protection works

Bulk protection adds rate limiting while preserving the normal sign-in experience. Strict protection hides whether accounts exist, which provides stronger security but means legitimate users won't get helpful feedback if they use the wrong identifier or misremember their account. Choose strict protection if preventing account discovery is a priority for your application.

Bulk user enumeration protection

Bulk user enumeration protection enforces rate limits to prevent attackers from checking registered email addresses and phone numbers in bulk. Targeted attacks against individual accounts are still possible.

Clerk's existing PII protections still apply. For example, during sign-in, even though bulk protection reveals whether a user exists, Clerk redacts personal information, showing only enough to be recognizable (e.g. "Send SMS code to +********00").

Strict user enumeration protection

With Strict user enumeration protection, users won't receive feedback about whether their identifier matches an existing account until they verify their identity.

Strict enumeration covers:

  • Sign up: If you sign up with an email or phone number that already exists, Clerk won't send a verification code. Instead, it sends a notification (email or SMS) letting the account owner know someone tried to sign up, and suggesting they sign in instead.
  • Sign in: When the account exists, sign-in proceeds normally. When it doesn't, Clerk's behavior depends on the strategy:
    • Password or Web3 wallet: The attempt is rejected without revealing whether the account exists.
    • Email code or email link: Clerk sends a notification to the address explaining that someone tried to sign in, and suggesting they sign up instead.
    • Phone code: Clerk shows the verification screen as if a message was sent, but doesn't actually send anything.
      • Because SMS can be costly during an enumeration attack, Clerk doesn't send SMS for sign-in attempts to non-existent accounts. We're exploring ways to add SMS notifications as we develop our anti-fraud protections.
  • User profile: If you add an email or phone number to your profile that already exists, Clerk shows the verification screen as if a message was sent, but doesn't actually send anything. Clerk doesn’t send notifications in this case, since these attempts are more likely to be attacks than real updates.

Feedback

What did you think of this content?

Last updated on

GitHubEdit on GitHub