|
|
|
|
|
|
by Borealid
823 days ago
|
|
|
You don't need a password to prevent account enumeration; you can send people who choose a nonexistent account a bogus credential that the token won't accept. You have to display the password prompt for invalid accounts to avoid enumeration without webauthn too... |
|
|