Account linking security concerns

According to the official documentation on precautions and the example account linking with actions, when linking accounts using an external custom application, I should ask the user to authenticate with another identity to ensure they own both accounts.

However, what should I do if a user logs in with a new identity (e.g., Facebook) and I find another account with the same email that already includes two linked identities: the primary identity being login/password and the secondary identity being Google? I want to link this new Facebook identity under the login/password identity (to have one account with login/password primary identity and two secondary identities Google and Facebook ). Should I ask the user to authenticate with both the login/password and Google identities to verify ownership, or is it sufficient to require authentication only for the login/password identity, since the login/password and Google identities have already been linked in the past?

Hi @vitaliip

Welcome to the Auth0 Community!

Thank you for posting your question. There’s no need to verify the identity of the other factor as the Google factor was already linked between email/password and Google. If your user properly verifies their identity in the primary account (email/password), you can link with the Facebook identity.

Thanks
Dawid

Hi @dawid.matuszczyk

Got it! Your explanation clarified everything. Thanks for the help!

Best regards,
Vitalii

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.