The Security Console login form responds differently for existing and non-existing usernames For example typing my username into the "User ID" field will then generate a "Authentication Method" drop-down that contains the options "Password" and "Passcode", which are the two types of authentications method I have setup. However, typing something made up into the "User ID" field will then generate a "Authentication Method" drop-down that contains the options "Password", "Passcode" and "On-Demand Authentication". I (and the majority of users) don't have the "On-Demand Authentication" authentication method (but we do use it for some).
By knowing this information it could potentially allow username enumeration, which would be helpful during a brute-force attack against the application, basically allowing someone to know if it's a real account or not. This type of threat is listed at the following site:
Is there any options that can be set to make the Security Console respond in the same way for existing and non-existing usernames?