How does account enumeration impact passkey login flows?

How does account enumeration risk influence the decision between identifier-first flows and separate passkey buttons?#

Account enumeration refers to a type of cyber attack where attackers determine if a particular account or email address exists on a service, often by observing how the login system responds to different inputs. Managing this risk significantly influences the choice between identifier-first passkey flows and separate passkey buttons:

Identifier-First Flows#

• How they work: Users enter their email or username first, and if a valid passkey exists, the login automatically proceeds.
• Account enumeration risk: High. Attackers can infer whether an email or username exists based on how the system reacts (for example, if it triggers a passkey prompt only for known accounts).
• Mitigation strategies:
  • Use generic error messages (e.g., "If an account exists, instructions were sent to your email").
  • Implement rate limiting and bot-detection measures.
  • Utilize advanced intelligence tools (like Corbado’s Passkey Intelligence) to ensure passkey prompts only appear when successful login is highly probable, minimizing exposure.

Separate Passkey Buttons#

• How they work: Users proactively click a dedicated passkey login button; authentication starts only if a passkey exists.
• Account enumeration risk: Significantly reduced. Since the passkey process initiates only after the user explicitly selects this option, there's less opportunity for attackers to deduce account validity from passive system responses.
• Challenges:
  • Typically, lower adoption rates as users might overlook or bypass this button out of habit.
  • May require additional UX efforts (like strategic prompts) to encourage usage.

Decision-making Factors:#

Organizations must balance security with usability:

• Choose identifier-first flows if:

  • High login convenience and user experience are prioritized.
  • You're equipped with advanced security layers to manage enumeration risks effectively.

• Choose separate passkey buttons if:

  • Account enumeration risk is a critical security concern.
  • You're in a highly regulated environment or need extra protection against enumeration attacks.

Ultimately, the decision depends on your organization's specific security posture, user expectations, and available technological mitigations.

Read the full article#

About Corbado

Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →