My partner and I are arguing about our auth system. They believe that obfuscating the existence of another account (by showing a generic error) is preferable to surfacing an error warning about account name collision. I argue that this is a way to get users to go away and not come back.
Relatedly, I suggest the pattern of obfuscating email (which also must be unique) availability in the "forgot password" confirmation, but they argue that if we're not obfuscating existence on sign-up, it's asinine to obfuscate on recovery. I kind of have to agree, but I'm curious why sites like microsoft follow that pattern.
I had to send a password reset today and they said, "If [blah] matches the email on your account, we'll send you a code", but I just tried to make an account with the same email and it said, "[blah] is already a Microsoft account." I feel sure I've seen this pattern elsewhere, too. What's the benefit of obfuscating one and not the other?
