Enforce Stronger Security on Username / Password Errors

#505 provides an appropriately ambiguous "Username or password incorrect." error.

But the underlying error messages from Cognito are not similarly ambiguous. Cognito has updated with a capability to not provide any error message that would reveal an account. We should enable that and then review handling of error scenarios.