Hi there - A good number of our users use Social Sign up. We recently had someone (Person A) access another user’s account (Person B) by “Signing Up with Email” using the same email as someone who had already signed up using Social Sign up. Person A was basically able to Create a New account with the (Email/Password option) and login into Person B’s existing account. How do I prevent this from happening?
There are a few ways to prevent or handle this situation, depending on your preferences and requirements. Here are some possible solutions:
-
Use the Account Linking Extension to automatically or manually link accounts with the same email address. This will merge the user profiles and identities, and allow the user to access their account with any of the linked providers. However, this method requires user consent and may not work for some scenarios, such as when the user wants to keep separate accounts for different purposes.
-
Handle the duplicate accounts in your own system, by having a relationship between the Auth0 user IDs and the user records in your database. This will allow you to manage the user data and permissions independently of the Auth0 identities, and avoid accidental merging of accounts. However, this method may require more development effort and maintenance, and may not provide a consistent user experience across different providers.
Some reference links for the same