We need to block multiple accounts from being created using identical PII without leaking any information regarding the original account. What is the best way to:
- Inform the person trying to create an account that they cannot
- While not telling them why
- While also enabling the original account to recover their account if they were accidentally attempting to log in?
Is there a standard/best practice way to handle this?
My thoughts are that you simply say “We are unable to create an account at this time. If you have a previous account, reset your password here.” Followed with the standard “if you have an account, you will receive a password reset email”
This is not related to this previous question Detect duplicates without exposing underlying data, although that has a really great answer that’s well worth reading and actually may help solve the backend part of the issue. It is also not specifically related to password resets. It has to do with account creation only.