Amazon Cognito hosted UI password reset code message

Question

In the Cognito hosted UI "forgot your password" process, If a user enters a Username that does not exists the following message is shown.
```We have sent a password reset code by email to f***@y***.com. Enter it below to reset your password.```
where **f***@y***.com** is a "fake" email address which looks to be made up using the username entered.

This is causing our support team issues as users think their code is being sent to a strange email address.

I explained what I think is going on is that the UI does not want to inform the user that their ID was not found (for security reasons) so it makes up a fake email address. **I cannot seem to find any documentation on this. Can anyone point me to official Cognito documentation that explains this process?**

Accepted Answer

Hi,

You are right, this behavior is to protect Cognito customers from username enumeration risks. The behavior is highlighted in the [managing error messages page](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-managing-errors.html) and applied when prevent user existence error is enabled.

> When you enable custom error responses, Amazon Cognito authentication APIs return a generic authentication failure response. The error response tells you the user name or password is incorrect. Amazon Cognito account confirmation and password recovery APIs return a response indicating a code was sent to a simulated delivery medium.

Amazon Cognito hosted UI password reset code message

関連するコンテンツ