Automatic account linking is a feature that allows multiple login methods to resolve to the same user account as long as the email being used is the same.
For example, if a user signs up with gmail using
[email protected] and then signs up again with the same email, but using email & password, we will not create a new user. Instead, we will use the same
userId across all login methods that use the same email.
Automatic account linking is not advisable from a security point of view. Let's take an example:
- We have an app that has sign in with google and with github.
- A user signs up with google to use this app.
- They also have their personal github account that uses their gmail ID.
- If their github account is somehow compromised, then the attacker can then sign up to our app with their github account and then access this user's account.
Hence, by doing automatic account linking, we are increasing the attack surface for account takeover. Instead, we recommend that if a user is signing up with another provider but with the same email, we can ask them to login with their original provider instead, or then to proceed with new account creation.
SuperTokens does not support Account Linking yet but we are actively working on this feature.