Avoid duplicate user with same email

Hi all,

We want to prevent users to create a secondary account with the same email (through multiple social login or local account).
Linking account is not an option (it could create security breach).
We just want to notified the users that they already have an account with the same email.
I found several post on that subject, like Using pre registration Hooks to prevent duplicate account creation or Prevent multiple signups with the same email across different connections
But no answer with an implementation.

The right way seems to implement a Pre-Registration-Hook but I don’t find any sample for that.
I’m not fluent in JS and new to Auth0, and it’s hard to find the right way for the implementation.

Do you have an example for this frequent need ?
At least a Hook example for using the right API and the right way to notify the user with an error message if we find a duplicate account.

Regards,
Philippe

Hi Philippe,

I don’t know of a sample for this. But why would account linking create a security breach?

It must be done properly, of course, but if so, I don’t know of a security breach.

And account linking is a very user-friendly feature.

But if you want to implement the “no duplicate e-mails” feature, you’ll need to call the management API get get user by e-mail:
https://auth0.com/docs/api/management/v2?_ga=2.198193391.1572617649.1583177527-1115526131.1581090409

John

Hi John,

It has already be explain in the mentionned posts :
"However that doesn’t solve the situation where a user creates an account via social login and then a hacker creats a new username - password account with the same email and accesses their account. The other way round is fine and we can use account linking but we need to prevent the username - password account from being created if a social login already exists. "

And when you link several accounts, the resulting security is the minimum of the accounts:
If I don’t remain that I created a local account 2 years ago, I might be confident with security as I now have a 2 FA on my social account (the account I usually use).
But there is still a sleeping valid account that give access to the linked account.

The last case we think is about the reuse of email, if I had an email that was already use previously, the account will be linked with the account of the previous owner.

Philippe

Hi Philippe,

For account linking, to be secure, a user MUST authenticate to BOTH accounts to be linked. For example, they log in with Facebook, and then the account linking extension says “looks like you have this username-password account too, please authenticate to it to link them”.

So I don’t follow the comment in that thread. The attacker can create an account with the same e-mail, and possibly get it validated, but the user cannot authenticate to it, since they don’t know the password.

That is a valid point about the weakest link, though there are alternative approaches.

With account linking, the rule of thumb is “authenticate to both accounts, you must prove ownership to both accounts”. This will avoid the kind of issues you are looking at.

I hope this helps, let me know.

John