3

I am in the process of adding social login to our application. We use email as the primary key for each user and I was planning to associate new accounts with the same email automatically but worried security implications of that. However, I was looking for other apps doing this like ones I use but it doesn't seem to be a common flow.

Is it worth approving account linking? I'm planning to implement facebook and google. Google is straight forward and I've tried facebook and I can't login if the email I provided is not verified which is supported by this link.

Is it possible to check if an email is confirmed on Facebook?

MichaelChan
  • 1,808
  • 17
  • 34
  • The security problem you're having is that if someone's Facebook account is breached, so is your application as you're trusting Facebook (or any other social provider). So, is it just the question of account linking approving or do you trust your users with your application to the point you're not worried about their social accounts being hacked? From experience, people's accounts are hacked. All the time. And it's not even hard to do. I think you have more than 1 security problem at your hands. – N.B. Mar 12 '18 at 22:20
  • That is a good point but I think the risk is the same where they've already approved the registration and then they get hacked right? – MichaelChan Mar 12 '18 at 22:23
  • Whether you do account linking or account approval, you still have the same issue - how do you mitigate / reduce the application behavior if the user is, potentially, hacked? That, in essence, is what you have to solve first and that's a tricky problem, something *you* have to figure out (I'll keep silent). Account linking / approving is just a minor nuisance, nothing that will really increase or decrease any kind of security. One might argue it could hurt it, as it's more likely I'll crack someone's Facebook account before I do so with Google account. Have an upvote, you need more help. – N.B. Mar 12 '18 at 22:31

1 Answers1

0

Found a similar question on another network. The recommendation is the same where it really depends on the data involved and whether you want to mitigate the risk or not.

https://security.stackexchange.com/questions/52568/social-login-authenticate-if-email-exists-or-create-new-user

In our implementation, we decided that we would only automatically link it when there is no existing user data (new registration). But there was already one and the user is just adding a new provider to sign in with, then we explicitly request permission to the original account owner.

MichaelChan
  • 1,808
  • 17
  • 34