Password reset requested for an email address that is not associated with user account

Idea created by Daniel Tan on Sep 16, 2018
    Open for Voting
    • May Leong
    • Yvonne Lee
    • Jeffrey Brady
    • Daniel Tan
    • Wilfred Tay

    Our school's Canvas setup is as such:

    • Students: Local Canvas Account 
    • Staff: Office 365 SSO


    User ID for local Canvas account is the student's enrollment number instead of the usual default email address as our students are not issued a school email address.


    When the student requested for password reset at the login form, the system will accept the email, regardless whether the email exists in the system. 



    After checking with the tech support, we found that this is actually intentional. Failing email addresses would give out usernames by a process of elimination. This is done as a security measure to prevent the unauthorized use of accounts. An email isn't actually sent, but a success message is shown.


    In our situation, the security measures caused confusion to our users, especially for users who did not enter their email address to their profile. The system accept the email that was entered but our users did not receive a password reset email mailbox. 


    May I suggest that in the situation should the email address do not match the information in the database, the alert box should be red and the message should be "The information you have entered is incorrect. Please contact your school for assistance."



    Appreciate if the team can look into this.