Penetration testing results:

Risk Rating: LOW

Results:
The web application responses allow an attacker to enumerate usernames.

Issues:
By reading the application responses an attacker can programmatically discern when they have guessed a valid 
username. They can then generate a username list to use in a password cracking attack.

Recommendations:
Provide only a general error message when a correct or incorrect username is entered. For example, “If your username 
was found on file, we will send you a password reset email.”

Release : 14.3 CP2

Component : 14.3 CP2

For example., in Identity Portal if you enter an invalid userID, Portal returns "Your userID is incorrect".  This gives some information to an attacker.  They know now the userID is wrong and could continue to try with a brute force attack.  Instead a more general and generic message should be used to not give a potential attacker any information. 

Resolved in 14.4.1 which will be released ETA early December 2021.  This will contain a more generic error for user and password login.