To prevent account enumeration during registration, you need to enable the "notify_unknown_recipients" setting for verification flows. This prevents attackers from determining if an email is already registered by analyzing system responses. There are two approaches to configure this: ### Using Ory Console Go to Authentication → Email verification in the [Ory Console](https://console.ory.sh/projects/current/verification) and toggle Notify unknown recipients on. ### Using Ory CLI 1. First, download your current identity configuration:

ory list workspaces ory list projects --workspace <workspace-id> ory get identity-config --project <project-id> --workspace <workspace-id> --format yaml > identity-config.yaml

2. Edit the configuration file to enable the setting:

yaml flows:   verification:     enabled: true     lifespan: 15m     use: code     notify_unknown_recipients: true

3. Update your configuration:

ory update identity-config --project <project-id> --workspace <workspace-id> --file identity-config.yaml

This setting ensures that when someone attempts to register with an already registered email, the system will still send a notification email but won't create a new account, making it harder for attackers to enumerate accounts. [Ory Docs: Attempted verification notifications](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation#attempted-verification-notifications) You might also want to enable a similar setting for account recovery flows to provide comprehensive protection against enumeration attacks.