How to manage local signups when there may be an existing social user

Is there a best practice for dealing with local signups when a social user may already exist with the same email address, but I’m not allowed to require email verification for local accounts?

I need to be able to support signups for users who want to create a accounts using either a local Auth0 connection or a social provider. The challenge is that I can’t enforce email verification for local users, and that leads to a massive security hole.

The application I’m dealing with gladly accepts the login from either source, and it will automatically link the users based on email address.

This leads to the security hole where User A signs up with a social login and only uses the social login can and User B registers for an Auth0 local user account with User A’s email address.

One idea would be to create a local user automatically whenever a new social user signs up. This would prevent anyone else from signing up for a local account using the social user’s email address. Is this feasible with a rule? Are there better ways to handling this that don’t require verifying local users’ email addresses?

and it will automatically link the users based on email address.

If you can’t verify the email addresses, don’t automatically link the accounts but use the Account Linking extension, where the user has to verify that he owns the respective other account by authenticating with it as well before the linking happens.

(Note that an identity from Google for example always comes back with claim email_verified: true so you probably don’t want that to overwrite the email_verified root claim of an eventual unverified local user account. Keep that in mind in the rule logic that comes with the Account Linking extension, when you merge the values of this field.)

One idea would be to create a local user automatically whenever a new social user signs up.

What happens if User B registers the local user account with A’s email address before User A has even signed up with his social account? Would you then block the real User A from signing up with a social account? I think this is really hard to prevent.
Curious, why are you not allowed to verify email addresses? It would definitely solve a few problems. Especially, you can’t auto-delete these “fake” accounts i.e. if the user doesn’t verify his email within x days, if you’re not allowed to do so.

I’ll take another look into the account linking extension. I’ve looked at it briefly, but giving the option to keep the accounts separate seemed like it wasn’t going to work. If the extension will only create the second account after the user has verified the credentials of the first, that could work.

We wouldn’t block User A from coming in with the social account.

User B registers UserA@gmail.com as a local user in Auth0.
User A comes in and signs up with UserA@gmail.com using Sign Up With Google.

At this point, we trust the login from UserA@gmail.com coming from the social login, but we need to ensure that UserA is also in control of the local account. Blocking the local account until a password reset has been completed would be one way. This would prevent User B from logging in as the local usera@gmail.com account.

I’ve tested the Account Linking Extension, and it doesn’t appear to solve the security hole I’m facing since I cannot enforce email verification due to an executive decision.

My two next best options seem to be:

  1. Find a way to remove the option to proceed with the unlinked duplicate account from the account linking extension.
  2. Write a rule that requires email verification only for duplicate accounts. I haven’t brought this up internally, yet, but I think I can sell it as a fraud prevention measure.