-
|
According to this docs it is not safe to link accounts. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Hi @itaied246 The principle is that we wouldn't know if the 3rd party social provider does email verification or not. I think with automatic account linking you can never assume it is truly safe. I suppose even with email verification, a scenario could be an account is taken over on the social provider side. Even with initial verification, on a stolen dormant account the attacker could also do account takeover with the stolen social account. Without automatic linking they would somehow need to compromise your account at Ory first and then link the stolen social account - which doesn't make sense since stealing the account was the goal in the first place :) |
Beta Was this translation helpful? Give feedback.
Hi @itaied246
The principle is that we wouldn't know if the 3rd party social provider does email verification or not. I think with automatic account linking you can never assume it is truly safe. I suppose even with email verification, a scenario could be an account is taken over on the social provider side. Even with initial verification, on a stolen dormant account the attacker could also do account takeover with the stolen social account.
Without automatic linking they would somehow need to compromise your account at Ory first and then link the stolen social account - which doesn't make sense since stealing the account was the goal in the first place :)