Obviously it is very common for sites to allow log in using both the traditional email/password as well as social authentication using Facebook, Google, Twitter etc.
If a user creates an account using a email/password, it makes sense that they can then log in with Facebook/Google using the same email address and that will be connected to their existing account.
However, what about in the opposite scenario? If a user first decides to log in using Facebook/Google, should they be given a way to connect a password to their account as well?
Specifically I see a security issue. Typically if a user wants to change their password, they must first provide their existing password. But in this scenario, how can we verify the user when they go to set the password, when there is no existing password? I don’t feel like it’s safe to allow a direct password entry without some additional verification at the time of action. If a user is logged in on a machine shared with other users, it could allow the other users to set a password unknowingly to the account owner.
In the case of Firebase, they support the process of linking a password to an account that has been created using some other login method. See their documentation.
But I have not seen any real world examples of this. Should this be allowed, and if so, what would the behavior flow in a hypothetical app or website look like?