Yeah, there are some unique threat models where determining that an account exists would be a sensitive information disclosure. In those cases users would be more willing to endure the potentially heavy handed UX trade offs required to adequately prevent it.
It’s the idea that knowing that an account exists somehow represents a compromise in the accounts security posture that I generally reject.
It’s the idea that knowing that an account exists somehow represents a compromise in the accounts security posture that I generally reject.