I’m going to give some advice from a Security standpoint + UX. I wouldn’t sacrifice either one for the other. Have both.
There’s an important question of secure practices in your question. The Best Practice from a security standpoint is to not identify which entry was invalid, and have a generic answer. Let’s ask What Would Google Do and take Google’s gmail as an example:
You have end
Going through the Can’t access your account? link, gmail will eventually tell you that this account does not exist:
It’s ultimately up to you whether or not you want to do this. From a security standpoint, attackers can begin to collect the valid usernames in your application. From a usability standpoint, you’ve just helped someone figure out which of their countless e-mail addresses they used on your account, and can get logged in sooner.
Who tells tells you if a name exists?
The most secure practice is to tell the user something along the lines of: “If a valid e-mail address was entered, instructions to reset you password have been sent”
This won’t reveal the username. So your first option is Definitely more secure.
From a usability standpoint, you can definitely provide multiple methods of trying to get back into the account, (login with twitter, gmail, Facebook…there are API’s for that).
Check out this Smashing Magazine article that reviews the many approaches to login forms:
Just to summarize: a user might be frustrated that they can’t remember which email they used. A user will lose all confidence in you if their account gets hacked because ux trumped security.
I hope this helps Erics, I’m really curious what solution you end up choosing.
Some technical security stuff:
To learn more about enumeration and the real danger it causes:
It may also be helpful to learn more about forgot password security from this OWASP cheat sheet: https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet
It gives best practices for business applications, but is also still useful to keep in mind.