There is no pair for the enterprise users signing in with their company's SSO or those using Passkey.
replyI think what some sites do is have a visually hidden, not required password field that a password manager can fill in. If it's not a password-based auth, the flow goes to the next step but if it is, it reveals the password field which may already be filled in.
Aren't you leaking that there's an account with that email that has a non-password auth method if you treat them differently?
replyHow would you avoid that? How would someone exploit that information? The whole point of the other auth means are that they're more secure.
replyIf someone enters a username that doesn't exist in the system then you randomly prompt for password or alternate method, so it looks like an account may exist.
replyUsername enumeration isn't usually considered a vulnerability, but it does make other attacks, like credential stuffing, easier. I.E. you can focus attack resources on usernames that have active accounts.
It's very low on my list of concerns though, usually there's much worse problems when I pentest.