User Experience Stack Exchange is a question and answer site for user experience researchers and experts. It only takes a minute to sign up.
Sign up to join this community
Anybody can ask a question
Anybody can answer
The best answers are voted up and rise to the top
Our website uses a system where the username is the user’s email address. We have a function which permits the user to change his email.
What is the best way to go about this?
- Send an email only to the new email address just to confirm the change.
- Send an email to both the new and the old email addresses for confirmation.
- Send an email to the new address, asking the user to click a button for activation.
- I’m open to any different suggestions as well.
I’m concerned about functionality, security and usability. There could be some problems with activation; for example, activating an email address that has been created between the change request and the changed email activation would certainly cause some problems. I’m probably forgetting other corner cases…
The most common way is to:
Ask the user to enter her password before changing e-mail (even if she is currently logged in): this will help to avoid stealing of the account if user has forgotten to logout or somebody simply got user’s cookies or something like this.
Send an activation link to the new address and don’t switch e-mails until the new one will be activated: this will ensure that user has entered the correct e-mail address she has access to.
In my opinion these steps should be secure and user friendly enough:
- Ask for password confirmation in the form to prevent other people to change the email address when someone forgot to logout.
- Send an email to the old email address to let the user know that is has been changed and offer the possibility to prevent or revert the change.
- Send an email to the new email address to verify the email address.
- When the user verifies the new email address, change the old email address to the new one but keep the old one in case it needs to be reverted. To check if the old email address is actually the previous one you should save it somewhere.