Failed login attempts are not counted if email address is null or empty

[theglobe]

If Email field is null or empty the UserManager will not update the database table and since AccessFailedCount is stored in the same table it will not be incremented.

await UserManager.AccessFailedAsync(user.Id).WithCurrentCulture(); returns an error, but this is not checked, in SignInManager.PasswordSignInAsync and SignInManager.TwoFactorSignInAsync.

This means that an attacker can guess passwords for such a user indefinitely.

[tymur999]

How would that be harmful though, since no identity account can have a null email?

[theglobe]

For instance if users can register with a phone number, or if using a custom user administration that allows an administrator to manually add users.

The minimal required information for a user account should be user name and password.

Is this repo maintained?

[theglobe]

This is when using a UserValidator with RequireUniqueEmail = true.

A possible workaround is to set RequireUniqueEmail = false, but then you will not get any email address validation when the users enters an email address.