docs: account enumeration mitigation (#2126)

* docs: account enumeration mitigation

* Update docs/identities/sign-in/identifier-first-authentication.mdx

Co-authored-by: Jonas Hungershausen <[email protected]>

* chore: synchronize workspaces

---------

Co-authored-by: Jonas Hungershausen <[email protected]>

Author: aeneasr

docs/identities/sign-in/identifier-first-authentication.mdx

@@ -7,6 +7,12 @@ sidebar_label: Identifier first authentication
 Identifier first authentication first requests the user's identifier such as an email or username before prompting for a password
 or other authentication methods.
 
+:::note
+
+Identifier first authentication is required when using B2B Organization login.
+
+:::
+
 This guide explains how to enable and use identifier first authentication in Ory Network and self-hosted Ory Kratos.
 
 ## Ory Network
@@ -35,3 +41,23 @@ selfservice:
 ```
 
 To disable this feature, set `style` to `unified`.
+
+## Account enumeration mitigation
+
+Account enumeration mitigation prevents malicious actors from being able to identify if a user exists or not.
+
+By default, Ory does not prevent account enumeration in the identifier first authentication flow. This improves user experience as
+the user quickly knows if they have an account with the chosen identifier (email / username) or not. To enable account
+enumeration, use the Ory CLI patch command
+
+```shell
+ory patch identity-config --project <project-id> --add '/security/account_enumeration/mitigate=true'
+```
+
+or if you use a config file, add the following to your `kratos.yaml` config file:
+
+```yaml title="kratos-config.yaml"
+security:
+  account_enumeration:
+    mitigate: true
+```

docs/kratos/organizations/organizations.mdx

@@ -56,6 +56,9 @@ graph LR
 />
 ```
 
+Organizations require identifier-first authentication and two-step registration when using Account Experience 2.x or Ory Elements
+1.x.
+
 ## Manage organizations
 
 ```mdx-code-block