I understand there is a security risk when linking an unverified password account with a passwordless account.
Excluding this use-case it would still be helpful to automatically link users who have verified username/password accounts.
For example we are considering the following options
- Turning off Username/password signups while still allowing logins. (we currently have many username/password accounts)
- Turning on rule with forced email verification and editing the Email verification template to be clearer to what the user is doing.
Option 1 is more secure we believe.