Account Linking.
Joining two or more authentication identities into a single user account — typically merging a social login (Sign in with Google) with an existing email/password account or with another social provider.
The auto-link-by-email anti-pattern is one of the more common CIAM account-takeover vectors. Attacker registers Sign in with Google using a victim's email (no verification required on the Google side beyond email control). If your app auto-links by email, the attacker now has access to the victim's existing account. The fix: require the user to log in to the existing account first, then explicitly add the new provider.
Common questions
Should I auto-link accounts that share an email address?
How does Sign in with Google handle account linking?
What's the account-takeover risk of automatic account linking?
Related terms
In the guides
Account Takeover Defense: A Layered Approach for 2026
ATO is the single largest CIAM threat in 2026. The defense stack is layered, credential stuffing protection, MFA, session management, and recovery design, each addressing a different attack class.
Social Login: Implementation, Trade-offs, and the Privacy Cost
Sign in with Google, Apple, Microsoft, Facebook, GitHub — conversion lift is real, lock-in is real, privacy cost is real. The 2026 decision is not whether but which providers to support.