Hi everyone,
I wanted to report a confusing authentication experience that may be worth reviewing from a UX / identity-flow perspective.
Scenario:
• Account was originally created using Sign in with Google
• Original Google email: example@gmail.com
• Later, account email was changed to a custom domain address: example@customdomain.com
Observed Behavior:
After updating the email, the login flow became ambiguous:
-
Attempting username/password login resulted in a message indicating that I must sign in using Google (expected, since the account was created via Google).
-
Attempting Google login with the original Gmail account triggered an account creation flow, followed by an error stating that the email was already associated with an account.
-
Attempting one-time code login using the updated custom domain email still resulted in the same “must use Google login” message.
-
The only successful resolution was creating a new Google account using the updated custom domain email and signing in via Google with that account.
Why This Was Confusing:
From a user perspective:
• The system did not clearly indicate that the authentication method remained locked to Google despite the email change
• Error messages implied conflicting states (account exists vs account creation flow)
• One-time code login suggested an alternative path but still redirected to Google enforcement
Suggestion:
It might help to provide clearer messaging when:
• An account was created via SSO
• The email is changed to an address not previously tied to that IdP
For example:
“This account was created using Google authentication. Please sign in with a Google account that controls [new email].”
This would have made the resolution path immediately obvious.
Impact:
No security issue observed, but the flow created significant confusion and temporary lockout anxiety.