Skip to main content
    Consumer Identity · Authentication

    Verified Bidirectional Account Linking Across a Nine-Brand Identity Platform

    Apple, Google and password sign-in, unified behind one shared account, linked only after an email code challenge.

    A nine-brand consumer group let customers sign in with Apple, Google or email and password, and reuse a single account across every brand. When a new Apple or Google identity matched an existing account by email, the platform did not link them automatically. It first ran an email code challenge to prove the customer controlled that inbox. I led the identity design that made social access safe and reusable: same-email detection, verified bidirectional linking, risk-based OTP, private-relay handling, provider delinking on email change, and account-level blocking across all nine brands.

    Isometric diagram of the identity platform: nine brand experiences feed a shared customer identity hub, Apple and Google provider gateways with Share My Email and Hide My Email, a secure identity-resolution layer, an email code-challenge and OTP verification, low, medium, high and undetermined risk tiers, and account-level blocking across all interfaces.

    Image generated with AI

    Client and brand names are anonymized. Figures are approximate and based on the client's supplied visitor ratio. Separate breakdowns for Apple versus Google, sign-up versus sign-in, new versus previously linked accounts, and fraud or support reduction were not supplied and are left unquantified.

    Role

    AI Product Manager

    Providers

    Apple sign-inGoogle sign-inEmail + password

    Verification

    Email code challengeRisk-based OTPRepeated-failure blocking

    Identity

    Shared cross-brand accountServer-side identity resolutionProvider delinking

    Privacy

    Apple Share My EmailApple Hide My Email relay

    Scale & Controls

    Nine consumer brandsBidirectional Apple ↔ Google linkingAccount-level blockingSafe provider-failure recovery

    01 Context & Problem

    A consumer group ran nine separate brands on one shared customer platform. A customer could create an account once and reuse it everywhere, signing in with Apple, Google, or email and password. Social sign-in was meant to be a primary way in, not a secondary convenience, so the same person often arrived through different providers at different times: Google on one brand, Apple on another, a password later.

    That flexibility created an identity problem. When a customer signed in with a new Apple or Google identity whose email already belonged to an existing account, the platform had to decide what to do. Linking the two automatically on an email match alone would be unsafe: a matching email address suggests a relationship, but it does not prove the person signing in actually controls that inbox. The platform needed a way to connect compatible Apple and Google identities to one shared account without ever granting access on an email match by itself, and to do it consistently across all nine brands, including the awkward cases: Apple's private relay addresses, password-enabled accounts, risky sign-ins, and provider outages.

    02 Role & Constraints

    As AI Product Manager I owned the identity and account-linking design end to end: the authentication journeys across all nine brands, the same-email detection and resolution logic, the verification model that gated linking, the risk-based challenge policy, the private-relay handling, the delinking and re-verification rules on email change, the blocking policy, and the safe-failure behavior for provider outages. The guiding principle was that email matching could initiate a linking journey but never complete it. The customer always had to demonstrate access to the email tied to the existing account before two authentication methods were attached to one profile.

    The constraints were concrete. Linking had to be bidirectional and order-independent: Google first then Apple, or Apple first then Google, had to reach the same shared account. Apple's Hide My Email had to be handled separately, because a private-relay address that did not match the customer's real account email must not silently link into that account. Verification had to reuse the same code-challenge mechanism already trusted for elevated-risk authentication, so linking inherited proven controls rather than inventing new ones. Risk had to modulate friction: low-risk sign-ins should stay frictionless while medium, high and undetermined risk required an OTP. Repeated failures had to be contained through a blocking policy that applied at the account level, across every brand, not per brand. And provider failures had to fail safe, never leaving a customer with a partial or duplicate account.

    03 Product Approach

    The core reframe was to treat an email match as the start of a verification journey, not as proof of ownership. When Apple or Google authenticated a customer, the provider response and its email were resolved server-side against the shared account platform. If the email matched an existing account, the platform did not link anything yet. It issued a one-time code to the email on the existing account and linked the new provider only after the customer entered that code. Two authentication methods were attached to one cross-brand profile only once ownership was demonstrated.

    The same verified path covered both linking directions. If a customer created an account with Google and later chose Continue with Apple using the same shared email, the system detected the existing account, sent a code to its email, and linked Apple after successful verification. The reverse, Apple's Share My Email first and Google later, resolved to the same shared account through the same challenge. After linking, the customer could sign in with Apple, with Google, or with email and password wherever one had been configured, and land on the same account.

    Apple's Hide My Email stayed a deliberately separate path. When the private-relay address did not match the customer's undisclosed personal email, the identities were not eligible for same-email linking. Rather than link the relay into an unrelated account, the platform showed a limited-access explanation and created a separate relay-email account. Beyond first-time linking, the same account carried its own lifecycle: a customer could set a password on a social account, change the primary email (which delinked the previous social provider and required re-verification), and every returning sign-in still passed through risk evaluation before a session was issued.

    The reframe

    A matching email looks like proof of identity, but it is only a signal. The platform used it to open a verification journey, never to grant access. Compatible Apple and Google identities were linked to one shared account only after the customer completed an email code challenge, so a match initiated verification instead of automatically merging two logins.

    04 Features Built

    Apple & Google sign-in

    One authentication orchestrator routes Continue with Apple, Continue with Google and password sign-in across all nine brands.

    Shared cross-brand account

    A customer creates an account once and reuses it across every brand, whichever provider they arrive through.

    Same-email detection

    Server-side identity resolution flags when a new provider's email already belongs to an existing account.

    Email code challenge

    A one-time code sent to the existing account's email must be entered before two providers are linked.

    Bidirectional linking

    Google-first then Apple, or Apple-first then Google, resolve to the same shared account through the same challenge.

    Apple private-relay path

    Hide My Email addresses that do not match are not linked; a separate relay-email account is created instead.

    Risk-based OTP

    Low-risk sign-ins get a session; medium, high and undetermined risk require an email OTP before access.

    Account-level blocking

    Repeated OTP, code or password failures block the shared account across all nine brand interfaces.

    Password setup for social

    Customers can add an email-and-password login to an account first created through a social provider.

    Provider delinking on email change

    Changing the primary email delinks the previous social provider and requires provider re-verification.

    Safe provider-failure recovery

    Apple or Google service failures return a safe error and retry, preventing partial or duplicate accounts.

    Password + social parity

    Once a password is configured, email-and-password works alongside Apple and Google as an equal login.

    Also shipped: password setup for social accounts, email and password as an additional login once configured, password-gated email changes, provider re-verification after an email change, undetermined-risk handling, and a consistent security journey regardless of which brand the customer started from.

    05 Architecture

    Nine brand experiences fed one authentication orchestrator. A customer arriving through any brand was routed to the same flow: continue with Apple, continue with Google, or email and password. Apple and Google responses passed through provider-response validation and then identity resolution against the shared account platform, while password sign-ins resolved directly to the shared account. Identity resolution asked two questions in order: is this provider already linked, and if not, is there an eligible same-email account to link to.

    CustomerNine brand experiencesAuthentication OrchestratorSign-in optionsApple Sign-InShare / Hide My EmailGoogle Sign-InEmail + PasswordProvider responseProvider Response ValidationApple & GooglePassword pathIdentity ResolutionAlready linked? · Same-email?Eligible email matchApple relay emailAlready linkedEmail Code ChallengeCode to existing emailRelay-Email AccountHide My Email · new accountVerified · linkedNew accountShared Cross-Brand AccountActiveRisk CategoryLow · Med · High · Undet.Email One Time PasswordMed / High / undeterminedAuthenticated SessionCross-brand accessMed / HighValidLow risk · Direct sessionSession issuedSigned InAccess all nine brandsRepeated failuresAccount BlockingAll nine brandsAnalytics & Data Layer · events + audit logsSafe recovery · retry

    From there the flow branched into clearly bounded outcomes. An eligible email match issued a linking code to the existing account's email; on successful verification the provider was linked, on failure the attempt was rejected and recorded. An Apple relay email that did not match routed to a limited-access explanation and a separate relay-email account. Once resolved to a shared cross-brand account, the account status was checked: a blocked account was shown as blocked, an active account was scored into a risk category. Low risk issued an authenticated session directly; medium, high and undetermined risk sent an authentication OTP, and repeated failed challenges, up to a fixed threshold, blocked the shared account across all nine brands. The account itself exposed password setup and email changes, where changing the primary email delinked the previous social provider and required provider re-verification. Provider service failures did not create partial state: they returned a safe error and retry that routed back into the same orchestrator, so a failed Apple or Google call never produced a half-linked or duplicate account. The linking boundary combined three checks: a validated provider response, a compatible same-email match, and a successful email code challenge, and failed code submissions ran through the same challenge-control and blocking policy as risk OTPs.

    06 Measurement & Analytics

    The identity journeys were measured as a funnel from provider authentication through resolution, verification and session issuance, so a drop could be traced to the stage that caused it: provider response, same-email detection, code challenge, risk scoring, or blocking. The available data supported a combined adoption estimate, roughly forty thousand of one hundred thousand daily visitors per brand using an Apple, Google or account-linked journey, but it deliberately did not overstate what it could not separate. Apple versus Google, registration versus returning sign-in, newly linked versus previously linked accounts, successful versus abandoned code challenges, relay-email versus shared-email Apple accounts, and any duplicate-account, fraud or support-contact reduction were left unquantified until their underlying analytics were available, rather than reported as precise figures.

    Adoption metrics

    Share of daily visitors per brand using an Apple, Google or linked-account journey, aggregated across the nine brands.

    Verification funnel

    Provider response, same-email detection, code sent, code verified and provider linked, measured stage by stage.

    Risk & OTP metrics

    Risk-category distribution, OTP challenge rates for medium, high and undetermined risk, and OTP success and abandonment.

    Failure & blocking metrics

    Failed linking codes, risk OTPs and passwords counted toward the fixed threshold and account-level blocks applied.

    Provider & relay metrics

    Relay-email versus shared-email Apple accounts, and provider service failures routed into safe retry.

    07 Verification & Risk Decisioning

    The decision layer answered a sequence of narrow questions rather than a single yes or no. Is this provider already linked? If not, is there an eligible same-email account, or is this an Apple relay address that is not eligible? If eligible, has the customer proven ownership through the email code challenge? And on every resolved sign-in, what is the account's risk category, and does that require an OTP before a session is issued? Low risk continued to an authenticated session; medium, high and undetermined risk required an email OTP; and repeated failures, whether on a linking code, a risk OTP or a password, were counted through one shared challenge-control mechanism that blocked the account at a fixed threshold. Risk here modulated friction and verification strength; it did not decide identity by itself, and it never replaced the ownership proof that gated linking.

    What linking required, and what it never assumed

    Account linking was protected by a code challenge, not completed by an email match. The boundary combined a validated Apple or Google response, a compatible same-email account, and a successful email verification. A matching email opened the journey; the customer still had to demonstrate access to the email on the existing account before two logins were attached to one cross-brand profile.

    08 Status & Outcome

    The implementation established social authentication as a major access channel rather than a secondary login option. Customers could register with Apple or Google, reuse the same account across all nine brands, link compatible Apple and Google identities after an email code challenge, add a password to a social account, and move through a consistent security journey regardless of which brand they started from. Each brand received roughly one hundred thousand daily visitors, and approximately forty thousand per brand per day used an Apple, Google or linked-account journey: an estimated forty percent engagement with social or linked access. Across all nine brands that is approximately nine hundred thousand daily visitors and around three hundred and sixty thousand daily social or linked-account journeys. The result was a shared authentication foundation in which Apple, Google and password access operated as controlled methods around one cross-brand customer account, with linking gated by verification, risky sign-ins gated by OTP, private relay handled separately, and repeated failures contained by account-level blocking. These figures are approximate and based on the supplied ratio; they combine social and linked-account activity rather than separating each provider or journey type.

    ~40%

    Daily visitors using a social or linked journey (per brand)

    9

    Consumer brands on one shared account

    ~360K

    Daily Apple, Google or linked-account journeys

    ~900K

    Total daily visitors across the group

    09 Reflection / What's Next

    The defining achievement was not adding Apple and Google buttons. It was building the identity controls that made social access safe and reusable across nine brands: the platform could tell whether a provider identity was new, already linked, eligible for linking, using a private relay, password-enabled, risky or blocked, and it linked compatible identities only after an email code challenge. What I would strengthen next: separate the analytics that today stay combined (Apple versus Google, sign-up versus sign-in, new versus previously linked, challenge success versus abandonment, relay versus shared-email) so the funnel can be tuned with evidence rather than estimates; formalize the risk model's category definitions and thresholds with explicit governance; tighten relay-account guidance so customers understand why a Hide My Email sign-in created a separate account; and keep the delinking and re-verification rules on email change auditable end to end. The lasting outcome was a shared authentication layer where a matching email initiated verification rather than automatically granting access, and Apple, Google and password logins operated as controlled, linkable methods around a single cross-brand customer account.