Social Login: can log in using social login even if email address is replaced

[worldomonation]

Steps to reproduce the behavior

Prereq. Have a social login.

1. Sign up for a new account at /start
2. Log in using a Google account.
3. Complete new user onboarding.
4. Go to Me > Account Settings.
5. In the Email Address field, enter a new email address that is not Gmail.
6. Confirm and verify the changes by clicking on the link that is sent to the new email address.
7. Under Me > Account Settings, confirm the new email address is shown.
8. Log out.
9. From wp-login, choose to log in using Google account.
10. Use the Google account used in Step 2.

What I expected to happen

Google login is not permitted as the WordPress.com account associated with the Gmail account now has another email address associated with it.

What actually happened

Google login is successful.

Context

Back to basics user testing.

Browser / OS version

OS: macOS Big Sur 11.1 (20C69)
Browser: Firefox Nightly 87.0a1
Browser: Safari Version 14.0.2 (16610.3.7.1.9)

Is this specific to the applied theme? Which one?

No

Does this happen on simple or atomic sites or both?

Only tested on Simple.
Atomic unknown.

Is there any console output or error text?

No.

Level of impact (Does it block purchases? Does it affect more than just one site?)

Minor/Moderate - confusing to user, potential security issue?

Reproducibility (Consistent, Intermittent) Leave empty for consistent.

Consistent.

Screenshot / Video: If applicable, add screenshots to help explain your problem.

Steps 1-5:
https://user-images.githubusercontent.com/6549265/108577553-56d06d80-72d6-11eb-8d7d-031bf4fb92ea.mov

Steps 6-10:
https://user-images.githubusercontent.com/6549265/108577588-710a4b80-72d6-11eb-8deb-39703a68c142.mov

[StefanNieuwenhuis]

Check p1614633457071000-slack-C013QHLF28Y for more context.

[jeyip]

Apparently there is information about other social sign-in methods hidden away under the "Me" Page > Security > Social Logins sub-menu.

If the user wants to change their email address and discontinue access from their social login, they'll have to navigate to the page above and manually disconnect things.

Given that @StefanNieuwenhuis, @worldomonation, @cathymcbride and I were unaware of this, there might be an opportunity to improve the user experience here. I think that the information about other sign-in methods could be placed in closer proximity to where the user can change their email address, or maybe we could add some sort of warning? Would love to get some input from designers.

@griffbrad do you happen to know who we could reach out to?

[cathymcbride]

@griffbrad Does this need to go to Team Calypso or design?

[griffbrad]

I’ve added it to our backlog but I don’t think anyone on our team has worked much with social login features, really. I think we have at least interacted with these bits of Calypso recently in the context of our reduxification work, though.
@tyxla or @flootr, feel free to reach out to other folks if you think there is a better place for this issue, but my impression is that this part of Calypso isn’t really owned by anyone in particular.
From my perspective, displaying a notice when the email is changed and the account has social logins configured would be a sufficient improvement here.

[worldomonation]

My anecdotal observation is that users tend to ignore warnings, notices or popups or do the minimum possible to dismiss it as soon as possible.

Since the behavior described in this issue has the potential to inadvertently lead to a situation like p1614671809072900/1614633457.071000-slack-C013QHLF28Y, I do not think a simple warning banner would suffice.

From my perspective, one of the following actions should be considered:

1. simply do not permit the user to change their email address from Me > My Account if the account was created through a social login. A notice would be shown directing user to disconnect their social login at Security > Connected Apps.
2. permit the user to make changes to their email address at Me > My Account, but
   a) simultaneously disconnect their social login in the background
   or
   b) force the user to also navigate to Security > Connected Apps to disconnect the social login.

Because of what was mentioned in the Slack thread (that having multiple login methods is not officially supported) I think we should do as much as possible to ensure any given user account does not enter that state.

[tyxla]

simply do not permit the user to change their email address from Me > My Account if the account was created through a social login. A notice would be shown directing user to disconnect their social login at Security > Connected Apps.

I think this suggestion makes a lot of sense. It feels like the user would enter a very weird rabbit hole to change the email address that is the only connection to their account 🤷

[griffbrad]

Totally agree. Thanks for clarifying @worldomonation! I'd missed some of the context on this issue earlier.

[simison]

cc @obenland @lcollette in case this would make sense for Manage team?