---
url: 'https://www.corbado.com/faq/account-enumeration-risk-passkeys'
title: 'How does account enumeration impact passkey login flows?'
description: 'Understand how account enumeration risks impact choosing between identifier-first passkey flows and separate passkey button methods.'
lang: 'en'
keywords: 'account enumeration'
---

# How does account enumeration impact passkey login flows?

## How does account enumeration risk influence the decision between identifier-first flows and separate passkey buttons?

**Account enumeration** refers to a type of [cyber attack](https://www.corbado.com/glossary/cyber-attack) where
attackers determine if a particular account or email address exists on a service, often by
observing how the login system responds to different inputs. Managing this risk
significantly influences the choice between **identifier-first passkey flows** and
**separate passkey buttons**:

## Identifier-First Flows

- **How they work**: Users enter their email or username first, and if a valid passkey
  exists, the login automatically proceeds.
- **Account enumeration risk**: High. Attackers can infer whether an email or username
  exists based on how the system [reacts](https://www.corbado.com/blog/react-passkeys) (for example, if it
  triggers a passkey prompt only for known accounts).
- **Mitigation strategies**:
    - Use generic error messages (e.g., "If an account exists, instructions were sent to
      your email").
    - Implement rate limiting and bot-detection measures.
    - Utilize advanced intelligence tools (like Corbado’s
      [Passkey Intelligence](https://docs.corbado.com/corbado-connect/features/passkey-intelligence))
      to ensure passkey prompts only appear when successful login is highly probable,
      minimizing exposure.

## Separate Passkey Buttons

- **How they work**: Users proactively click a dedicated
  [passkey login button](https://www.corbado.com/faq/passkey-button-approach); authentication starts only if a
  passkey exists.
- **Account enumeration risk**: Significantly reduced. Since the passkey process initiates
  only after the user explicitly selects this option, there's less opportunity for
  attackers to deduce account validity from passive system responses.
- **Challenges**:
    - Typically, lower adoption rates as users might overlook or bypass this button out of
      habit.
    - May require additional UX efforts (like strategic prompts) to encourage usage.

## Decision-making Factors:

Organizations must balance security with usability:

- **Choose identifier-first flows if**:
    - High login convenience and user experience are prioritized.
    - You're equipped with advanced security layers to manage enumeration risks
      effectively.

- **Choose separate passkey buttons if**:
    - Account enumeration risk is a critical security concern.
    - You're in a highly regulated environment or need extra protection against
      enumeration attacks.

Ultimately, the decision depends on your organization's specific security posture, user
expectations, and available technological mitigations.

## Read the full article