Login and registration page

[Naskut]

When reviewing the login page, we identified a potential security issue when asking customers only for their email address to check if they have an account or not.

This makes the site less secure because hackers with lists of emails could run a check on which emails are actually having an account in this website and send pshishing emails to those accounts.

Solution: Create an additional button for Sign in specifically, so that customers have to enter both email address and password combination correctly to be able to sign in.

Error message if validation fails will not specify which input was valid, but only mention that the combination does not work.

[paales]

Although I understand your concern, we're following Magento's GraphQL API here: https://developer.adobe.com/commerce/webapi/graphql/schema/customer/queries/is-email-available/

Since this API is exposed by Magento, limiting usage on the GraphCommerce side will not reduce any risk. What do you think?

If this is a concern, I'll might be able to ping someone from Magento to answer this question.

[Naskut]

I believe that maybe the purpose of that API is to return a message to customer IF:

• Customer has already created an account with that email address
• Customer forgot that he has an account and is trying to create an account again

I have seen this flow online and the message I get is something along the lines of "This email address is already registered, if you forgot your password click here".

However this has the same security issue because if I know I have an account for example with Bol.com and I get a phishing email from bol.com, then the chances I actually take it as a legitimate email are higher than if I get an email from a company for which I am positive I do not have an account with. This gives hackers a more successful rate to actually deceive a customer (specially since they keep on improving those emails and some actually do a good job at impersonating a company).

Therefore, if customer tries to create a new account with same email, the correct answer would be to still ask for a password and if customer forgets password and clicks on FORGOTTEN PASSWORD link, then the message is along the lines of "IF this email address exists in our database of registered users, then you will receive a link to update the password."

This is how we will implement it in our project, I just wanted to share this as an improvement point for your demo site :)

Thank you.

[paales]

This has since been solved