diff --git a/app/controllers/france_connect/particulier_controller.rb b/app/controllers/france_connect/particulier_controller.rb
index 3efe18e97..ac99880bb 100644
--- a/app/controllers/france_connect/particulier_controller.rb
+++ b/app/controllers/france_connect/particulier_controller.rb
@@ -1,5 +1,6 @@
 class FranceConnect::ParticulierController < ApplicationController
   before_action :redirect_to_login_if_fc_aborted, only: [:callback]
+  before_action :securely_retrieve_fci, only: [:merge]
 
   def login
     if FranceConnectService.enabled?
@@ -42,6 +43,16 @@ class FranceConnect::ParticulierController < ApplicationController
 
   private
 
+  def securely_retrieve_fci
+    @fci = FranceConnectInformation.find_by(merge_token: merge_token_params)
+
+    if @fci.nil? || !@fci.valid_for_merge?
+      flash.alert = 'Votre compte FranceConnect a expiré, veuillez recommencer.'
+
+      redirect_to root_path
+    end
+  end
+
   def redirect_to_login_if_fc_aborted
     if params[:code].blank?
       redirect_to new_user_session_path
@@ -64,4 +75,8 @@ class FranceConnect::ParticulierController < ApplicationController
     flash.alert = t('errors.messages.france_connect.connexion')
     redirect_to(new_user_session_path)
   end
+
+  def merge_token_params
+    params[:merge_token]
+  end
 end
diff --git a/app/views/france_connect/particulier/merge.html.haml b/app/views/france_connect/particulier/merge.html.haml
index ad4a0489c..6ec910cdb 100644
--- a/app/views/france_connect/particulier/merge.html.haml
+++ b/app/views/france_connect/particulier/merge.html.haml
@@ -3,3 +3,10 @@
 .container
   %h1.page-title Fusion des comptes FranceConnect et #{APPLICATION_NAME}
 
+  %p
+    Bonjour,
+    %br
+    %br
+    Votre compte FranceConnect utilise <b class='bold'>#{@fci.email_france_connect}</b> comme email de contact.
+    %br
+    Or il existe un compte sur #{APPLICATION_NAME} avec cet email.
diff --git a/spec/controllers/france_connect/particulier_controller_spec.rb b/spec/controllers/france_connect/particulier_controller_spec.rb
index 3a416491d..a67eadbac 100644
--- a/spec/controllers/france_connect/particulier_controller_spec.rb
+++ b/spec/controllers/france_connect/particulier_controller_spec.rb
@@ -135,4 +135,36 @@ describe FranceConnect::ParticulierController, type: :controller do
       it { expect(flash[:alert]).to be_present }
     end
   end
+
+  describe '#merge' do
+    let(:fci) { FranceConnectInformation.create!(user_info) }
+    let(:merge_token) { fci.create_merge_token! }
+
+    subject { get :merge, params: { merge_token: merge_token } }
+
+    context 'when the merge token is valid' do
+      it { expect(subject).to have_http_status(:ok) }
+    end
+
+    context 'when the merge token is invalid' do
+      before do
+        merge_token
+        fci.update(merge_token_created_at: 2.years.ago)
+      end
+
+      it do
+        expect(subject).to redirect_to root_path
+        expect(flash.alert).to eq('Votre compte FranceConnect a expiré, veuillez recommencer.')
+      end
+    end
+
+    context 'when the merge token does not exist' do
+      let(:merge_token) { 'i do not exist' }
+
+      it do
+        expect(subject).to redirect_to root_path
+        expect(flash.alert).to eq('Votre compte FranceConnect a expiré, veuillez recommencer.')
+      end
+    end
+  end
 end