Account Linking
Connecting multiple identity providers (social, corporate) to one user account for unified login.
What is Account Linking?
Account Linking is the process of connecting multiple identity providers (social logins, corporate IdPs) to a single user account. This prevents account fragmentation (multiple accounts for the same user).
Account linking ensures that:
- Google login → same account as Facebook login for the same user
- Corporate IdP (Okta) → same account as social login (Google)
- Email/Password → linked to social logins (no duplicate accounts)
Without account linking, users end up with multiple orphaned accounts (one created via Google, another via Facebook) - confusing for both users and administrators.
Analogy
Think of account linking like having multiple keys that all open the same door. Your Google login, Facebook login, and corporate login all lead to the same account - the system recognizes 'these are all John Doe' and links them together.
Types and Use Cases
- CIAM: Link Google, Facebook, email logins to one customer account"
- "B2B IAM: Link partner's corporate IdP to their vendor portal account"
- "Progressive Profiling: User starts with social login, later adds password login (link accounts)"
- "Merge Existing Accounts: Detect and merge duplicate accounts (same email, different login methods)"
How it Works
{
"accountLinking": {
"detectionMethods": ["email-match", "phone-match", "manual-link"],
"promptUser": true,
"autoLink": false,
"mergePolicies": {
"preferSocial": true,
"keepOldestAccount": true
}
}
}
// API: Link Account
POST /api/account/link
{
"userId": "existing-user-123",
"provider": "facebook",
"providerUserId": "fb-456",
"providerToken": "fb-access-token"
}Account Linking vs Social Login
Account Linking
Social Login
Account Linking connects multiple login methods to one account
Social Login is just one login method (Google, Facebook)
Account linking prevents duplicates
Social Login alone can create multiple accounts (Google vs. Facebook)
Account linking requires detection + user consent
Social Login just creates new account
Best Practices for Account Linking
- "Detect by email: If new social login has same email as existing account - prompt to link"
- "Always ask user: Don't auto-link without user consent (security risk)"
- "Merge carefully: Keep oldest account, merge profile data from newest"
How LoginRadius Powers Account Linking
LoginRadius CIAM platform provides built-in account linking to prevent duplicate accounts. Our system auto-detects matching emails/phones across login methods (Google, Facebook, email). We prompt users to confirm linking (secure, no auto-link), provide RESTful APIs for programmatic account linking, and offer configurable merge policies (keep oldest account, prefer social profile data). LoginRadius also provides linking analytics and duplicate account reports.
FAQs
With account linking: System detects same email, prompts to link Facebook to existing Google account. Now both logins lead to the same account. Without linking: Two separate accounts are created (Google account + Facebook account) - user gets confused why their data isn't there when switching login methods.
Always ask the user (with clear explanation). Auto-linking is a security risk: (1) Attacker creates account with victim's email + attacker's social login, (2) System auto-links - now attacker can access victim's account! Always show: 'This email already exists. Link this login method to existing account?'
LoginRadius provides comprehensive account linking: (1) Auto-detection - detects same email/phone across login methods, (2) User prompt - asks user to confirm linking (secure), (3) API support - programmatically link accounts via API, (4) Merge policies - configure which profile data to keep during merge, (5) Analytics - track linking rates and duplicate prevention.