Security Concerns for automatic account linking

Hi,

I have read multiple posts regarding the automatic account linking. Can someone help me understand why there could be security concerns if both accounts have been verified?

For example, user initially signed up using username and password, verified the account and then logged in with the social email. If the social login is successful, what’s the security concern of automatically linking the social account to the username/password account?

Thank you!

Ref: Enable automatically linking user accounts with different identities

Hi @zhoucheng

Welcome to the Auth0 Community!

Thank you for sharing your question about security concerns regarding automatic account linking. Based on my research about this topic, the conclusion is the security concern boils down to the human aspect. All the additional steps that you or other developers are taking are meant to reduce the risk, but there’s a risk that an unauthorized third party can gain access to the user account. Email Verification Isn’t Full Proof of Ownership just because a user has verified their email address for two different accounts (traditional and social), it doesn’t conclusively prove that the same person owns both accounts. Email accounts can be compromised, or the email could be shared or accessible by multiple individuals.

For example, Jane has her Facebook account compromised but was smart enough to use a different password for her email (or perhaps the compromise was through a method that didn’t involve a password at all). She might recover that account at a future point, but an attacker could also use it to leverage a takeover of her account on your site.

authentication - Social login - authenticate if email exists or create new user - Information Security Stack Exchange.

Thanks
Dawid

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.