The behavior you're seeing is expected with Ory's default account linking and social sign-in flow. When a user is added to the system (e.g., via import or admin creation) and receives a reset-password email, an account is created with their email address. If the same user then tries to log in or register using SSO (e.g., Google) with the same email, Ory detects that the email is already associated with an existing account. By default, Ory does not automatically link the SSO (social login) account to the existing account for security reasons. Instead, the user is prompted to sign in using one of the existing authentication methods (such as password) to confirm their identity before linking the new SSO method. This prevents potential account takeover attacks that could occur if someone else controls the same email address at the SSO provider. Only after successful authentication with an existing method can the SSO account be linked to the user's profile [Account linking on login and registration](https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account#account-linking-on-login-and-registration) [Account linking security considerations](https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account#account-linking-security-considerations). Automatic account linking (where the SSO account is linked without additional verification) is only available in specific migration scenarios, and only if you explicitly enable the

use_auto_link

feature for pre-provisioned identities. This feature is not enabled by default and is only available for Ory Network or Enterprise customers after a security evaluation [Account linking on login and registration](https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account#account-linking-on-login-and-registration) [Account linking security considerations](https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account#account-linking-security-considerations). Summary: The account is not automatically linked with the Google account because Ory requires an explicit verification step (such as signing in with the existing method) before linking a new login method, to prevent security risks. Automatic linking is only available in controlled, pre-provisioned scenarios with additional configuration. For more details, see the documentation on [account linking](https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account#account-linking-on-login-and-registration) and [account linking security considerations](https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account#account-linking-security-considerations).