From d6f1d8c93398915198822bd5b6aa9cda31887497 Mon Sep 17 00:00:00 2001 From: aeneasr <3372410+aeneasr@users.noreply.github.com> Date: Tue, 22 Apr 2025 12:55:30 +0200 Subject: [PATCH 1/3] docs: account enumeration mitigation --- .../identifier-first-authentication.mdx | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/docs/identities/sign-in/identifier-first-authentication.mdx b/docs/identities/sign-in/identifier-first-authentication.mdx index 19c343404..bfdd215f1 100644 --- a/docs/identities/sign-in/identifier-first-authentication.mdx +++ b/docs/identities/sign-in/identifier-first-authentication.mdx @@ -7,6 +7,12 @@ sidebar_label: Identifier first authentication Identifier first authentication first requests the user's identifier such as an email or username before prompting for a password or other authentication methods. +:::note + +Identifier first authentication is required when using B2B Organization login. + +::: + This guide explains how to enable and use identifier first authentication in Ory Network and self-hosted Ory Kratos. ## Ory Network @@ -35,3 +41,23 @@ selfservice: ``` To disable this feature, set `style` to `unified`. + +## Account enumeration mitigation + +Account enumeration mitigation prevents malicious actors from being able to identify if a user exists or not. + +Per default, account enumeration mitigation is disabled when using identifier first authentication. This improves user experience +as the user quickly sees if they are signed up or not with the chosen identifier (email / username). To enable account +enumeration, use the Ory CLI patch command + +```shell +ory patch identity-config --project --add '/security/account_enumeration/mitigate=true' +``` + +or if you use a config file, add the following to your `kratos.yaml` config file: + +```yaml title="kratos-config.yaml" +security: + account_enumeration: + mitigate: true +``` From 3eccb3d8488839f76e7f228c70d452bd254e3543 Mon Sep 17 00:00:00 2001 From: hackerman <3372410+aeneasr@users.noreply.github.com> Date: Mon, 28 Apr 2025 10:58:17 +0200 Subject: [PATCH 2/3] Update docs/identities/sign-in/identifier-first-authentication.mdx Co-authored-by: Jonas Hungershausen --- docs/identities/sign-in/identifier-first-authentication.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/identities/sign-in/identifier-first-authentication.mdx b/docs/identities/sign-in/identifier-first-authentication.mdx index bfdd215f1..b9165fe9d 100644 --- a/docs/identities/sign-in/identifier-first-authentication.mdx +++ b/docs/identities/sign-in/identifier-first-authentication.mdx @@ -46,8 +46,8 @@ To disable this feature, set `style` to `unified`. Account enumeration mitigation prevents malicious actors from being able to identify if a user exists or not. -Per default, account enumeration mitigation is disabled when using identifier first authentication. This improves user experience -as the user quickly sees if they are signed up or not with the chosen identifier (email / username). To enable account +By default, Ory does not prevent account enumeration in the identifier first authentication flow. This improves user experience +as the user quickly knows if they have an account with the chosen identifier (email / username) or not. To enable account enumeration, use the Ory CLI patch command ```shell From dd491cf1b719709614ff6bbf74e0d85d5bfa3de2 Mon Sep 17 00:00:00 2001 From: aeneasr <3372410+aeneasr@users.noreply.github.com> Date: Tue, 29 Apr 2025 15:27:20 +0200 Subject: [PATCH 3/3] chore: synchronize workspaces --- docs/identities/sign-in/identifier-first-authentication.mdx | 4 ++-- docs/kratos/organizations/organizations.mdx | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/identities/sign-in/identifier-first-authentication.mdx b/docs/identities/sign-in/identifier-first-authentication.mdx index b9165fe9d..2d9019c04 100644 --- a/docs/identities/sign-in/identifier-first-authentication.mdx +++ b/docs/identities/sign-in/identifier-first-authentication.mdx @@ -46,8 +46,8 @@ To disable this feature, set `style` to `unified`. Account enumeration mitigation prevents malicious actors from being able to identify if a user exists or not. -By default, Ory does not prevent account enumeration in the identifier first authentication flow. This improves user experience -as the user quickly knows if they have an account with the chosen identifier (email / username) or not. To enable account +By default, Ory does not prevent account enumeration in the identifier first authentication flow. This improves user experience as +the user quickly knows if they have an account with the chosen identifier (email / username) or not. To enable account enumeration, use the Ory CLI patch command ```shell diff --git a/docs/kratos/organizations/organizations.mdx b/docs/kratos/organizations/organizations.mdx index 5bb8615b2..c890ee2e8 100644 --- a/docs/kratos/organizations/organizations.mdx +++ b/docs/kratos/organizations/organizations.mdx @@ -48,6 +48,9 @@ graph LR /> ``` +Organizations require identifier-first authentication and two-step registration when using Account Experience 2.x or Ory Elements +1.x. + ## Manage organizations ```mdx-code-block