diff --git a/modules/backend/src/main/scala/docspell/backend/auth/Login.scala b/modules/backend/src/main/scala/docspell/backend/auth/Login.scala
index 9d265280..f32e5640 100644
--- a/modules/backend/src/main/scala/docspell/backend/auth/Login.scala
+++ b/modules/backend/src/main/scala/docspell/backend/auth/Login.scala
@@ -73,8 +73,13 @@ object Login {
     case object InvalidAuth extends Result {
       val toEither = Left("Authentication failed.")
     }
+    case class InvalidAccountSource(account: AccountId) extends Result {
+      val toEither = Left(
+        s"The account '${account.asString}' already exists from a different source (local vs openid)!"
+      )
+    }
     case object InvalidTime extends Result {
-      val toEither = Left("Authentication failed.")
+      val toEither = Left("Authentication failed due expired authenticator.")
     }
     case object InvalidFactor extends Result {
       val toEither = Left("Authentication requires second factor.")
@@ -85,6 +90,7 @@ object Login {
     def invalidAuth: Result = InvalidAuth
     def invalidTime: Result = InvalidTime
     def invalidFactor: Result = InvalidFactor
+    def invalidAccountSource(account: AccountId): Result = InvalidAccountSource(account)
   }
 
   def apply[F[_]: Async](store: Store[F], totp: Totp): Resource[F, Login[F]] =
@@ -99,6 +105,8 @@ object Login {
           res <- data match {
             case Some(d) if checkNoPassword(d, Set(AccountSource.OpenId)) =>
               doLogin(config, d.account, false)
+            case Some(d) if checkNoPassword(d, Set(AccountSource.Local)) =>
+              Result.invalidAccountSource(accountId).pure[F]
             case _ =>
               Result.invalidAuth.pure[F]
           }
diff --git a/modules/restserver/src/main/scala/docspell/restserver/auth/OpenId.scala b/modules/restserver/src/main/scala/docspell/restserver/auth/OpenId.scala
index b65841ef..1045a055 100644
--- a/modules/restserver/src/main/scala/docspell/restserver/auth/OpenId.scala
+++ b/modules/restserver/src/main/scala/docspell/restserver/auth/OpenId.scala
@@ -105,6 +105,7 @@ object OpenId {
     import dsl._
 
     for {
+      _ <- logger.debug(s"Setting up external account: ${accountId.asString}")
       setup <- backend.signup.setupExternal(ExternalAccount(accountId))
       res <- setup match {
         case SignupResult.Failure(ex) =>
@@ -143,6 +144,7 @@ object OpenId {
     import dsl._
 
     for {
+      _ <- logger.debug(s"Login and verify external account: ${accountId.asString}")
       login <- backend.login.loginExternal(config.auth)(accountId)
       resp <- login match {
         case Login.Result.Ok(session, _) =>
@@ -158,7 +160,9 @@ object OpenId {
             .map(_.addCookie(CookieData(session).asCookie(baseUrl)))
 
         case failed =>
-          logger.error(s"External login failed: $failed") *>
+          logger.error(
+            s"External login failed: $failed. ${failed.toEither.left.getOrElse("")}"
+          ) *>
             SeeOther(location)
       }
     } yield resp