Hallvard B Furuseth writes:
Another feature: Don't disclose the existence/absense of a user unless authentication succeeds.
Strong disagreement.
Or at least don't require it to be disclosed.
Perfectly okay.An example of the difference: Suppose the mechanism uses a password and the user's password (matches but) is expired. In that case it's reasonable to fail authentication, but an implementation may also wish to reveal that the user exists by saying "go get a new password, the one you're using has expired".
Arnt