How to prevent Cognito sign up from exposing user email existence?

Question

I am using Cognito for authentication. In the user pool configuration, I have "PreventUserExistenceErrors" enabled. However, this only affects sign-in and does not affect sign-up. For security and user identity protection, I need to prevent the "account already exists" response. For example, here is a response that I receive on sign up:

```
{
	"__type": "UsernameExistsException",
	"message": "An account with the given email already exists."
}
```

According to the documentation, the above result is expected behavior:

*The SignUp operation returns UsernameExistsException when a user name is already taken. To prevent the UsernameExistsException error for email or phone number during SignUp, you can use verification based aliases. For more information, see AliasAttributes Amazon Cognito API Reference guide. For more information about aliases see Overview of Aliases.  *

(https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-managing-errors.html)

I looked at "AliasAttributes" and cannot find any more detail in the documentation on how these could be used to prevent the "UsernameExistsException" response. It sounds like I would need to make users create both a username AND an email, which is not ideal.

How can I get around this without writing custom handlers? (which is the entire reason I am using Cognito in the first place)

Thanks

Answer

I understand your concern about preventing the "account already exists" response during sign-up in Amazon Cognito. By default, Cognito considers the username as the unique identifier for user accounts, which can lead to the "UsernameExistsException" error when a user with the same username or email tries to sign up again. You have already reviewed the document “AliasAttributes Amazon Cognito API Reference guide” https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-managing-errors.html and according to the documentation, the above result is expected behaviuor. 
 
The Cognito SignUp API gives an error when someone tries to sign up with an email or phone number that's already in use. This error might suggest that the user already has an account. However, to make it more secure, you can use only usernames during the SignUp process instead of emails or phone numbers. This way, the error won't directly reveal if a specific email or phone number is already registered, making the system safer and more private. In this approach, the SignUp action will only show a user existence error if someone tries to sign up with a username that's already taken. This means no information about email addresses or phone numbers being already signed up will be revealed. To learn more about alias attributes, you can find additional information here [1]
 
In your case, you can create a new user pool in Cognito and make sure to use the 'preferred_username' as the alias attribute [2]
 
After making these changes and setting the alias attribute to 'preferred_username,' the UsernameExistsException will only occur when a client attempts to use a username that is already taken. As a result, no sensitive data like email addresses or phone numbers will be exposed [3]
 
References:
[1] Managing user existence error responses: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-managing-errors.html 
[2] Customizing sign-in attributes: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases 
[3] Create User Pool: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html#CognitoUserPools-CreateUserPool-request

How to prevent Cognito sign up from exposing user email existence?

Relevant content