Single sign on - multiple tracks to the same e-mail

I’m wondering how others here are implementing single sign on using server-side such as Google, Facebook etc. Specifically with regard to conflicts.

Consider for example if you have a local sign in option and the user registers their e-mail address. Then next time they come back they click the “Login with Google” button, which happens to be the same e-mail address. What do you do? Create a separate account? Show an error? The other option would be to log them in, but I feel there are security issues that way (typos in an e-mail and you might have access to someone else’s account for example).

What do you do?

The way we do it at VITY is that we base everything off of the email address, first and foremost. So, when a user registers, and we get their email, everything afterwards uses that specific email.

For example, say you logged in with Twitter first. And since Twitter doesn’t actually provide an email, you enter your email address during the signup process. So we have your email.

Now, the next time you come to the site, you want to log in with Facebook. So you do. And if your confirmed email stored on Facebook matches the email we have stored, we’ll let you log in as that user. Since we trust Facebook to have validated that email. Which they do.

But, let’s say your Facebook email DOESN’T match what we have; in that case we assume you’re a new user and register you as a new user. But that can cause problems, if, for example, it IS the same person, but the two accounts have separate email addresses.

So. To get around THAT, we make it so once you’re already signed up you have the ability to link you other social accounts as a signed in member. And once you’re a signed in member, we now trust that your social link is actually your social account regardless of email.

That said, yeah, kind of a PITA to implement (I’m the developer), but it’s been the most effective path to date (we’ve found anyway).

Hope that helps.

That’s really interesting - thanks! Do you have any idea what proportion of your users will login using 2 or more of the different authenticators? Presumably the majority stick to the same one every time.

I can’t help but feel there is potential for security issues this way - if the e-mail address from the authenticator isn’t validated, then any old Facebook (or whatever) account could be used to log into an account, just by changing the e-mail address. If the authenticator does validation of the e-mail address before it is available via OAuth (or whatever), then that’s probably fine, but otherwise, that’s potentially nasty.

Yup! We did EXTENSIVE testing to ensure that things were secure so, yes, Facebook DOES require validation before the email can be used for oAuth :slight_smile: