We've followed all of the recommended security settings when it comes to the new Protection Profiles in v13. However, it's created an issue in terms of Google authentication (and assuming all external auth services). Most of our staff authenticate to their Rock account with their Google account (we use GSuite). However, because the duplicate checking is disabled for the Extreme profile (which applies to anyone in RSR - Staff Workers), it creates a duplicate when they first authenticate to Rock with their Google account. I also can't go in and pre-associate a Google login with their profile. (Haven't tested it yet but the Google login username in Rock seems to use their user id in Google, so it may be possible to pre-create staff logins, although it would impossible for congregant logins) The only way to correctly attach the Google login with their staff profile is for them to login, merge the duplicates, and then they're good.

The other caveat is that we're about to start encouraging our attendees to create an account with us to manage their profiles on the external site, and if anyone falls under Medium / High / Extreme profiles, Google authentication will always create a duplicate for new logins, making that communication process more difficult.

The idea is to have a setting on each external authentication service that would allow duplicate checking for new logins through that service, overriding the security settings, which would help avoid some communication issues when it comes to rolling out accounts and onboarding staff.

I know there's some security implications that come with this, like if someone's email account is compromised it then gives them access to their database account. However I would accept that risk, because if they can prove to Google (or other services) that they are who they say they are, then I'm satisfied. Our staff also uses 2FA on their Google accounts, so there's not much risk for us from a staff perspective.