Account Linking

Account linking merges multiple authentication identities into one user record. A customer might first register with an email and password, later sign in with a social provider, and eventually add a passkey. Without account linking, each method could create a separate account, fragmenting the customer’s data and history.

Linking can be automatic or manual. Automatic linking matches identities by a shared attribute, most commonly a verified email address. If a new social login returns the same email as an existing account, the system associates them. Manual linking requires the user to sign in with both credentials in sequence to prove ownership of each.

Security matters in the linking decision. Linking based on an unverified email opens the door to account takeover, where an attacker registers a social account with the victim’s email and gains access. Requiring email verification or an active session before linking mitigates this risk.

For CIAM, account linking prevents duplicate profiles and lets customers keep one profile no matter which login method they use.