Unable to sign in to account w/ password when using alternative login method

ChristenGottschlich

I went to Kagi.com on a computer where i was not logged into Kagi but was logged into my Google account.
So i clicked on the Google icon under "or continue with".
I was met with a red text reading "An existing account with a password exists with this email - Please sign in using the password."
There was no place to input my password and finish login, so i closed the window and used DuckDuckGo instead.

I expected one of two things.

I get logged in seamlessly. I'm pretty sure ive logged in with my Google account before, so im perplexed why this did not work. And i cant seem to find a section under the account settings where i can view third-party accounts ive linked with Kagi's login. So maybe i havent?
I get that red message, indicating i need to supply my Kagi password in order to finish a link with the suppled Google account, as well as a text box where i would input said password, instead of the default login screen.

Vlad

Yes we changed this due to potential security threat. The issue currently is just that if a bad actor makes an account with a password before someone uses oauth on the same email, they can get a backdoor into the account essentially. (which is why we disabled oauth signin for password accounts, until we can work on something better). Trying to figure out the best way to enable this for safe actors, in the meantime please use the account password.

menubar

This issue has been previously partially addressed in this issue](https://kagifeedback.org/d/3330-apple-sign-in-then-set-password-breaks-apple-sign-in) (could not figure out how to find issue numbers as \#3300 links to a different topic).

Steps:

Create new account with Apple Sign In
Settings > Account > Set a password
Try to Apple Sign In again
Can not sign back in via Apple Sign In

I have a slightly different feature request. As I understand from that thread, blocking Sign in with Apple if a password is set afterward is intended behavior on Kagi logins. I have ideas about improving this as well as some issues with the current behavior:

This behavior is not replicated anywhere else I've encountered. Every other website or service that uses Sign in with Apple and allows setting a separate password either 1) allows you to log in with the generated email + set password OR the regular "Sign in with Apple" prompts, or in rare cases 2) requiring the password in addition to Sign in with Apple —not blocking the use of the Sign in with Apple button entirely). Regardless, I would argue that this behavior is not what the vast majority of users of the feature would expect when setting a password, unless there was a disclaimer explaining the outcome behavior of logging in after setting a password and the rationale (e.g., in an input box–adjacent message or hoverable pop up info element).
Main request Because setting a password disables the behavior that I would consider expected by users of this feature, allow passwords to either be removed or set only as an alternate method (to be used with the generated Hide My Email–type email as an alternate form of logging in if desired by the user). The implemented behavior wouldn't be so much of an issue if passwords could be unset, but I can't find any way to do this. Trying to set a blank password is not accepted by the account form. And this wouldn't be the ideal way of removing a password anyway because it's unclear whether you be set a password with 0 characters or removed it entirely.
The behavior explained in ~~#3300~~ the aforementioned topic does not extend to kagifeedback or orionfeedback, making the decision to use it for Kagi's main website puzzling

I have had a lot of issues with logging in with Sign in with Apple in the past, which was mostly resolved after months of email support, but now I'm once again unable to use my intended login method (Sign in with Apple button with the regular prompt—no added password) because I set a password, behavior that isn't present on any other service I've used. As mentioned, I feel this could be somewhat easily remedied by allowing users to roll back setting a password if they wish to use Sign in with Apple (although allowing it as an alternate login method is far better and ideal, as explained earlier) and adding a disclaimer about the unexpected changes in login behavior/methods when setting a password (although in my opinion, this shouldn't be necessary if common Sign in with Apple logic was used)

Sign in with Apple already has 2FA implemented, so I don't find the argument in the previous thread about helping with iCloud account compromise to be particularly convincing. It seems to me that cracking a user's iCloud account login, password and iCloud 2FA would be much more difficult than cracking only their generated email and password, but it is possible that I'm missing something.

Examples of use:

Set a password in order to use the generated email + password as a sign in method separate from the Sign in with Apple button, similar to other services that implement Sign in with Apple.
Add an option to require the password as well after using Sign in with Apple if a user desires (perceived?) increased security—or if they just wish to have a separate login for whatever reason

Examples of behavior on other websites:

Every other site I can think of that allows Sign in with Apple and setting a password allows the user one of the following options to log in:

Sign in with Apple including iCloud 2FA
Login with generated email + the password that has been set
Sign in with Apple + iCloud 2FA + asking for separately set password after that. This is including services that allow linking Sign in with Apple after already creating an account using email/username and password

pixel

Hey there @menubar,

Thank you for the post!
I merged your post with an existing one which is based on the same thing, which we are tracking internally.

Currently this is disabled due to security issues.
Since we do not verify emails, a bad actor could make an account with your email address & a password (without having access your apple account at all) and then you could use the "Continue with Apple" login & not realize that someone else is also using your account with a password (for example).

I hope that clears up at least why it was done this way.

With that said, we do have plans to make this better, at the very least allowing a user to remove a password again after setting one.
Ideally we could also allow the user to link an account after creation to sign in with, potentially.. but the first thing that will come is likely the first option.

Additionally, in the meantime if you would like your password removed, you can always email support@kagi.com and we can have that done for you until this is implemented.

menubar

pixel how can I email support from a generated Sign in with Apple account? Will I have to email from a separate account asking for the password to be removed on my Sign in with Apple email?

pixel

menubar

Yes, you can email from a different email if you need to mentioning the private relay email for your account.
I would also provide a previous invoice number or something along those lines just to validate it is you if possible.

alwyn

In my case this use case is a bug.

I didn't know how I was authenticating to Kagi (forgot), but I had a logged in session. Went into settings and I couldn't see what my authentication method was.

It appeared though as if I could access this information if I set a password on the account. So I set a password.

Then I remembered that I use Github to login.

Now I cannot log in anymore, and there is no way to fix it.

What should happen: Kagi SHOULD NOT allow you to set a password when you don't use an email address to login.

Theophil

I have subscribed to the Professional Account, but have no access to it. One possible reason for this is that I created Kagi account using my Apple account. Afterwards, I changed my password. Now it does not accept my new password with my e-mail address associated with my AppleID, and I cannot login using my Apple account.