Pattern 05
Actionable error messages
Write every authentication error to name what happened and what to do next, without revealing information that helps an attacker enumerate accounts.
Problem
Generic errors like 'Something went wrong' or 'Invalid credentials' leave users guessing whether it's their password, their account, or the system — and erode trust in the product.
Recommendation
Write every authentication error to name what happened and what to do next, without revealing information that helps an attacker enumerate accounts.
UX impact
Users self-resolve more issues without contacting support, and perceive the product as competent even when something fails.
Security impact
Careful wording (e.g. 'If an account exists for this email, we've sent a reset link') keeps errors actionable without confirming account existence.
Implementation notes
Maintain a single source-of-truth error copy library shared across web and mobile so messages stay consistent as flows evolve.