01 Context & Problem
A consumer group ran nine separate brands on one shared customer platform. A customer could create an account once and reuse it everywhere, signing in with Apple, Google, or email and password. Social sign-in was meant to be a primary way in, not a secondary convenience, so the same person often arrived through different providers at different times: Google on one brand, Apple on another, a password later.
That flexibility created an identity problem. When a customer signed in with a new Apple or Google identity whose email already belonged to an existing account, the platform had to decide what to do. Linking the two automatically on an email match alone would be unsafe: a matching email address suggests a relationship, but it does not prove the person signing in actually controls that inbox. The platform needed a way to connect compatible Apple and Google identities to one shared account without ever granting access on an email match by itself, and to do it consistently across all nine brands, including the awkward cases: Apple's private relay addresses, password-enabled accounts, risky sign-ins, and provider outages.
02 Role & Constraints
As AI Product Manager I owned the identity and account-linking design end to end: the authentication journeys across all nine brands, the same-email detection and resolution logic, the verification model that gated linking, the risk-based challenge policy, the private-relay handling, the delinking and re-verification rules on email change, the blocking policy, and the safe-failure behavior for provider outages. The guiding principle was that email matching could initiate a linking journey but never complete it. The customer always had to demonstrate access to the email tied to the existing account before two authentication methods were attached to one profile.
The constraints were concrete. Linking had to be bidirectional and order-independent: Google first then Apple, or Apple first then Google, had to reach the same shared account. Apple's Hide My Email had to be handled separately, because a private-relay address that did not match the customer's real account email must not silently link into that account. Verification had to reuse the same code-challenge mechanism already trusted for elevated-risk authentication, so linking inherited proven controls rather than inventing new ones. Risk had to modulate friction: low-risk sign-ins should stay frictionless while medium, high and undetermined risk required an OTP. Repeated failures had to be contained through a blocking policy that applied at the account level, across every brand, not per brand. And provider failures had to fail safe, never leaving a customer with a partial or duplicate account.
03 Product Approach
The core reframe was to treat an email match as the start of a verification journey, not as proof of ownership. When Apple or Google authenticated a customer, the provider response and its email were resolved server-side against the shared account platform. If the email matched an existing account, the platform did not link anything yet. It issued a one-time code to the email on the existing account and linked the new provider only after the customer entered that code. Two authentication methods were attached to one cross-brand profile only once ownership was demonstrated.
The same verified path covered both linking directions. If a customer created an account with Google and later chose Continue with Apple using the same shared email, the system detected the existing account, sent a code to its email, and linked Apple after successful verification. The reverse, Apple's Share My Email first and Google later, resolved to the same shared account through the same challenge. After linking, the customer could sign in with Apple, with Google, or with email and password wherever one had been configured, and land on the same account.
Apple's Hide My Email stayed a deliberately separate path. When the private-relay address did not match the customer's undisclosed personal email, the identities were not eligible for same-email linking. Rather than link the relay into an unrelated account, the platform showed a limited-access explanation and created a separate relay-email account. Beyond first-time linking, the same account carried its own lifecycle: a customer could set a password on a social account, change the primary email (which delinked the previous social provider and required re-verification), and every returning sign-in still passed through risk evaluation before a session was issued.
A matching email looks like proof of identity, but it is only a signal. The platform used it to open a verification journey, never to grant access. Compatible Apple and Google identities were linked to one shared account only after the customer completed an email code challenge, so a match initiated verification instead of automatically merging two logins.
04 Features Built
Apple & Google sign-in
One authentication orchestrator routes Continue with Apple, Continue with Google and password sign-in across all nine brands.
Shared cross-brand account
A customer creates an account once and reuses it across every brand, whichever provider they arrive through.
Same-email detection
Server-side identity resolution flags when a new provider's email already belongs to an existing account.
Email code challenge
A one-time code sent to the existing account's email must be entered before two providers are linked.
Bidirectional linking
Google-first then Apple, or Apple-first then Google, resolve to the same shared account through the same challenge.
Apple private-relay path
Hide My Email addresses that do not match are not linked; a separate relay-email account is created instead.
Risk-based OTP
Low-risk sign-ins get a session; medium, high and undetermined risk require an email OTP before access.
Account-level blocking
Repeated OTP, code or password failures block the shared account across all nine brand interfaces.
Password setup for social
Customers can add an email-and-password login to an account first created through a social provider.
Provider delinking on email change
Changing the primary email delinks the previous social provider and requires provider re-verification.
Safe provider-failure recovery
Apple or Google service failures return a safe error and retry, preventing partial or duplicate accounts.
Password + social parity
Once a password is configured, email-and-password works alongside Apple and Google as an equal login.
Also shipped: password setup for social accounts, email and password as an additional login once configured, password-gated email changes, provider re-verification after an email change, undetermined-risk handling, and a consistent security journey regardless of which brand the customer started from.
05 Architecture
Nine brand experiences fed one authentication orchestrator. A customer arriving through any brand was routed to the same flow: continue with Apple, continue with Google, or email and password. Apple and Google responses passed through provider-response validation and then identity resolution against the shared account platform, while password sign-ins resolved directly to the shared account. Identity resolution asked two questions in order: is this provider already linked, and if not, is there an eligible same-email account to link to.
From there the flow branched into clearly bounded outcomes. An eligible email match issued a linking code to the existing account's email; on successful verification the provider was linked, on failure the attempt was rejected and recorded. An Apple relay email that did not match routed to a limited-access explanation and a separate relay-email account. Once resolved to a shared cross-brand account, the account status was checked: a blocked account was shown as blocked, an active account was scored into a risk category. Low risk issued an authenticated session directly; medium, high and undetermined risk sent an authentication OTP, and repeated failed challenges, up to a fixed threshold, blocked the shared account across all nine brands. The account itself exposed password setup and email changes, where changing the primary email delinked the previous social provider and required provider re-verification. Provider service failures did not create partial state: they returned a safe error and retry that routed back into the same orchestrator, so a failed Apple or Google call never produced a half-linked or duplicate account. The linking boundary combined three checks: a validated provider response, a compatible same-email match, and a successful email code challenge, and failed code submissions ran through the same challenge-control and blocking policy as risk OTPs.
06 Measurement & Analytics
The identity journeys were measured as a funnel from provider authentication through resolution, verification and session issuance, so a drop could be traced to the stage that caused it: provider response, same-email detection, code challenge, risk scoring, or blocking. The available data supported a combined adoption estimate, roughly forty thousand of one hundred thousand daily visitors per brand using an Apple, Google or account-linked journey, but it deliberately did not overstate what it could not separate. Apple versus Google, registration versus returning sign-in, newly linked versus previously linked accounts, successful versus abandoned code challenges, relay-email versus shared-email Apple accounts, and any duplicate-account, fraud or support-contact reduction were left unquantified until their underlying analytics were available, rather than reported as precise figures.
Adoption metrics
Share of daily visitors per brand using an Apple, Google or linked-account journey, aggregated across the nine brands.
Verification funnel
Provider response, same-email detection, code sent, code verified and provider linked, measured stage by stage.
Risk & OTP metrics
Risk-category distribution, OTP challenge rates for medium, high and undetermined risk, and OTP success and abandonment.
Failure & blocking metrics
Failed linking codes, risk OTPs and passwords counted toward the fixed threshold and account-level blocks applied.
Provider & relay metrics
Relay-email versus shared-email Apple accounts, and provider service failures routed into safe retry.
07 Verification & Risk Decisioning
The decision layer answered a sequence of narrow questions rather than a single yes or no. Is this provider already linked? If not, is there an eligible same-email account, or is this an Apple relay address that is not eligible? If eligible, has the customer proven ownership through the email code challenge? And on every resolved sign-in, what is the account's risk category, and does that require an OTP before a session is issued? Low risk continued to an authenticated session; medium, high and undetermined risk required an email OTP; and repeated failures, whether on a linking code, a risk OTP or a password, were counted through one shared challenge-control mechanism that blocked the account at a fixed threshold. Risk here modulated friction and verification strength; it did not decide identity by itself, and it never replaced the ownership proof that gated linking.
Account linking was protected by a code challenge, not completed by an email match. The boundary combined a validated Apple or Google response, a compatible same-email account, and a successful email verification. A matching email opened the journey; the customer still had to demonstrate access to the email on the existing account before two logins were attached to one cross-brand profile.
08 Status & Outcome
The implementation established social authentication as a major access channel rather than a secondary login option. Customers could register with Apple or Google, reuse the same account across all nine brands, link compatible Apple and Google identities after an email code challenge, add a password to a social account, and move through a consistent security journey regardless of which brand they started from. Each brand received roughly one hundred thousand daily visitors, and approximately forty thousand per brand per day used an Apple, Google or linked-account journey: an estimated forty percent engagement with social or linked access. Across all nine brands that is approximately nine hundred thousand daily visitors and around three hundred and sixty thousand daily social or linked-account journeys. The result was a shared authentication foundation in which Apple, Google and password access operated as controlled methods around one cross-brand customer account, with linking gated by verification, risky sign-ins gated by OTP, private relay handled separately, and repeated failures contained by account-level blocking. These figures are approximate and based on the supplied ratio; they combine social and linked-account activity rather than separating each provider or journey type.
~40%
Daily visitors using a social or linked journey (per brand)
9
Consumer brands on one shared account
~360K
Daily Apple, Google or linked-account journeys
~900K
Total daily visitors across the group
09 Reflection / What's Next
The defining achievement was not adding Apple and Google buttons. It was building the identity controls that made social access safe and reusable across nine brands: the platform could tell whether a provider identity was new, already linked, eligible for linking, using a private relay, password-enabled, risky or blocked, and it linked compatible identities only after an email code challenge. What I would strengthen next: separate the analytics that today stay combined (Apple versus Google, sign-up versus sign-in, new versus previously linked, challenge success versus abandonment, relay versus shared-email) so the funnel can be tuned with evidence rather than estimates; formalize the risk model's category definitions and thresholds with explicit governance; tighten relay-account guidance so customers understand why a Hide My Email sign-in created a separate account; and keep the delinking and re-verification rules on email change auditable end to end. The lasting outcome was a shared authentication layer where a matching email initiated verification rather than automatically granting access, and Apple, Google and password logins operated as controlled, linkable methods around a single cross-brand customer account.
