Social IdP linking

Linking a Google/GitHub/etc. account to an existing password identity

Critical security check

If the OIDC email matches an existing identity's verified email, do not auto-link. The confirmation step prevents pre-linking attacks.

See Identity, Account linking for the full security rationale.

Password recovery with HMAC token

Forgot-password flow using HMAC-signed recovery tokens

MFA step-up to AAL2

Escalating session AAL for sensitive operations