Multiple identities + single sign on security

Question

This is a theoretical question.

Suppose I have a Twitter, Facebook, G+, Instagram account all with the email address bill@example.com and now I want to design a web application that allows users to login to the application with their Twitter, Facebook, G+, Instagram accounts or by a standard registration form.

The unique identifier of my users is their email address.

Now suppose I already have an account registered with the email bill@example.com how should I design the mechanism to allow me to link my Twitter, Facebook, G+, Instagram account?

Method 1

Ask the user to login first then connect to their other accounts.

Pro:

• Secure

Cons:

• Can be a pain, what if the user forgot their username and password?

Method 2

Assume that the third party oauth providers confirms the email, just associate the third party account to the existing account (in my application) with the existing email provided by the third party.

Pro:

• Easy, and simple

Cons:

• Security?

Question

How can I ensure that bill@example.com from Facebook is the same bill@example.com from G+? Or is there no simple/user friendly way to do this?

Answer 1

You can't assume that the email they've used to create your account is the same one they used to create their twitter or facebook accounts. In addition, twitter does not return the email address associated with the user's account. Solution number 1 is really your only option.