For log in security, I know that you don’t want to identify whether or not it is specifically the username or password that is incorrect.
e.g. “The email or password you entered is incorrect”
Along those lines, is it ok to provide feedback that an email was previously used with SSO? For example, a user that initially signed in via Google SSO tries to log in via email on a subsequent visit. If we detect that email exists in the system and is connected via SSO, is it ok to inform the user without posing a security risk?
e.g. “This account is connected with Google SSO, please log in with Google”