Lessons in safe identity linking

Have you ever juggled multiple logins across platforms, struggling to remember which account uses SSO, or where you saved the password? Identity linking unifies fragmented accounts into one.

But while this can simplify the user experience, linking identities without proper security can lead to serious vulnerabilities—like unintended account access or exposure of personal data.In this guide, we’ll explore:

• How to do identity linking safely
• Why security is essential for linked accounts
• Common vulnerabilities to avoid
• Best practices for secure identity linking

What is safe identity linking?

Safe identity linking securely combines multiple accounts a user creates with different authentication methods into one unified profile. This means users signing in with various methods — like email/password, OAuth providers (such as Google or GitHub), or enterprise SSO — are all connected to the same profile within your application.

How does identity linking work?

When a user logs in through an identity provider, the provider sends a token or assertion containing claims about the user.

These claims typically include details like the user’s email address, a unique ID from the provider, and other attributes. We’ll refer to this collection of claims as a Profile.

Identity linking means associating this Profile with a User in your application, allowing the User to authenticate using multiple methods while maintaining a single, unified profile.

User identity linkage: Why it matters

Identity linking ensures that all login methods tie back to a single profile, improving security, privacy, and the overall user experience.

Security

Without robust identity linking, users signing in through different methods risk creating duplicate accounts, exposing your system to security gaps. Malicious actors can exploit these unlinked accounts, especially if one is protected by a weaker method, such as an outdated email/password login. With access to an unlinked account, they can potentially retrieve sensitive data or escalate their privileges within your system.

Privacy

When users have multiple accounts, their data is fragmented across different profiles, making it harder to manage consent and data access. By consolidating these profiles into one, you gain more accurate control over user data and permissions.

User experience

Consistency is crucial for a positive user experience. Identity linking lets users log in through different methods (email, OAuth, or SSO) without remembering which one they used before. This ensures they can always access their full profile and data history, regardless of the login method.

Common vulnerabilities in identity linking

Common identity-linking issues include NoAuth vulnerabilities, which occur when applications fail to properly validate identity provider (IdP) claims during OAuth or other federated authentication processes. In these cases, applications may trust user attributes (like email addresses) without ensuring they are thoroughly verified by the identity provider, creating opportunities for exploitation.

How a NoAuth Vulnerability Works:

1. Token Issuance: After authenticating a user, an OAuth provider issues a token containing user claims, such as an email or user ID.
2. Trust Without Verification: In a NoAuth vulnerability, the application trusts these claims without confirming that the identity provider has fully verified the user’s attributes. This may occur if the provider allows certain user claims to be self-asserted or if it lacks rigorous verification steps.
3. Potential Exploitation: For example, a user could present a token associated with what appears to be a corporate email address, but without verification, this email could be a self-registered or unverified personal email. Attackers may exploit this to access systems assuming trusted identities without adequate validation.

How insecure identity sharing works

Insecure identity sharing occurs when sensitive user information is transferred between systems without adequate security measures. Common issues include:

• Unencrypted Data Transfers: Sensitive identity data must always be encrypted during transit, particularly over public networks. Unencrypted transfers are vulnerable to interception by attackers, potentially exposing user credentials or personal information.
• Excessive Data Sharing: Applications sometimes share more identity data than necessary with external services, which can expose sensitive profile information. If the external service has weaker security practices, this over-sharing can lead to data leaks or breaches.
• Inconsistent Data Validation: Failing to validate user data across systems consistently can result in mismatched profiles or duplicate accounts, weakening identity integrity and increasing the risk of unauthorized access or identity spoofing.

Best practices for safe identity linking

Verify emails

Even if an OAuth provider sends an email as part of the authentication token, don’t automatically assume it’s verified. Always perform your email verification to prevent unverified identity claims from being trusted.A common approach is to send an email with a verification link that users click to update the Profile’s verification state, similar to how magic links work.

The downside to this approach is that some email providers can be configured to follow links in email bodies to identify spam or security issues.

These checks render the verification link useless since, for security reasons, they can generally only be followed once.A better practice is to include a string of characters or digits in the email body that the user inputs to a form in the developer’s application.

The Profile’s email verification state is updated upon successful form submission. Although this requires manual copying or copy/pasting, it results in a more reliable user experience overall.

Use domain capture in enterprise SSO

In enterprise SSO environments, domain capture can eliminate the need to verify emails within a specific domain. Domain capture is a set of controls an organization’s IT admin can apply to everything related to its organizational resources.

These controls rely on an IT admin verifying ownership of the domain—usually by making DNS configuration changes—to confirm that they have full control over the profiles in that domain.

Once a domain has been verified, a Profile with an email claim from that domain can be assumed to be verified, meaning safe identity linking can be performed.

For this to work effectively, the organization should turn off other authentication methods. If users can still authenticate through other channels, the security guarantees of domain capture are weakened.

Encryption and secure protocols

Encryption is crucial for protecting identity data both in transit and at rest.

• In transit: Encrypt data transmitted between users, identity providers, and your application using TLS (Transport Layer Security). This prevents attackers from intercepting data during authentication or identity-linking processes.
• At rest: Encrypt any stored identity data, such as tokens or profile details, using strong encryption algorithms. This ensures that user data remains protected even during a breach.

Additionally, regularly rotate encryption keys to minimize the risk of compromised credentials.

Implement MFA

Require MFA during login and before allowing users to link identities. This ensures that even if credentials are compromised, attackers can’t proceed without passing an additional verification step.

Auditing and monitoring

Monitor unusual behavior, such as login attempts from unexpected locations, rapid switching between identity providers, or repeated failed attempts to link accounts.

By detecting these patterns early, you can prevent potential security incidents. Regularly audit identity links to ensure that accounts are properly linked and changes are authorized.

How to protect against NoAuth vulnerabilities

Implement email verification

One common NoAuth attack involves impersonation, where an attacker uses an unverified or spoofed email to access another user's profile. Without verifying emails, your app might link a fraudulent profile, giving the attacker unauthorized access.

For example, some OAuth providers, like GitHub, allow users to add external email addresses but do not revalidate them over time. If a user leaves a job but retains access to an old work email, this could create a security gap. To avoid such risks, re-verify the email before linking the profile.

Use domain restrictions

Verify that the email address's domain matches a trusted or managed domain. For example, with non-Gmail Google accounts, users could create an alias (e.g., alice+later@hireos.com) that bypasses the company’s offboarding process.

To mitigate this, use checks that confirm the email domain is part of a trusted or enterprise-managed domain, especially when dealing with Google Workspace or similar platforms.

Verify claims from identity providers

Never unquestioningly trust the claims sent by identity providers. Use additional claim verification methods to ensure the data you receive is valid and trustworthy.

Why is safe identity linking essential for businesses?

When identity links are insecure or improperly managed, it opens the door to various risks that can have significant business implications. They include:

Risk of account takeover and data breaches

Insecure identity linking can lead to account takeovers, where malicious actors exploit fragmented user profiles to gain unauthorized access to business applications. Data breaches like these damage a company’s reputation and can lead to severe financial penalties due to regulatory violations like GDPR, CCPA, or HIPAA.

Compliance violations

Insecure identity linking can result in non-compliance if personal or customer data is mishandled or left exposed due to inadequate security measures.Failure to comply with data privacy regulations can lead to hefty fines, legal challenges, and long-term reputational damage.

Poor user experience and customer frustration

Customers who cannot access the right account or are repeatedly asked to re-authenticate due to unlinked profiles may become frustrated and lose trust in the company’s ability to protect their data.This poor user experience leads to higher churn rates, lost customers, and negative reviews.

Increased operational overhead

The time spent by support teams handling customer complaints about account access and remediating security incidents related to insecure identity links adds unnecessary operational overhead.

Meanwhile, developers may need to spend valuable time implementing patches or redesigning identity systems, diverting focus from core product development and growth.

WorkOS solutions for secure identity linking

Identity linking behavior in WorkOS is secure by default:

• Automatic deduplication of user credentials: WorkOS uses email as a unique identifier to link credentials. Hence, matching emails connect to the same profile if users log in with Google OAuth or Microsoft OAuth.
• Email verification by default: WorkOS requires email verification by default to confirm ownership before linking new credentials. If WorkOS cannot verify ownership, the authentication process halts to protect the account.
• Domain verification for enterprise SSO: For enterprise users, WorkOS auto-verifies domains, reducing friction for SSO logins. Email verification is required for unverified domains.
• Support for multiple SSO credentials: WorkOS supports users with multiple SSO credentials, such as those working with different organizations. Users select which organization’s SSO provider to use during authentication.

Sign up for WorkOS today, and start selling to enterprise customers tomorrow.