I recently jumped onto the hypetrain for an unnamed e-mail service and am currently on my way to update all my accounts on various websites to get most of my (future) data off googlemail.
During this adventure I came across a couple user-flows of changing your e-mail address which I would like to share (amounts like “many” or “a few” a purely subjective, I did not count):
1. No questions asked
E-mail address is just changed without any confirmation-mails, second password check or spellchecking (two input fields). The e-mail adress is the main login method to this account with some sensitive data. Any person with malicous intend will not be stopped from taking over my account if they change the email adress and after that my password.
2. Confirmation of new email
What I feel like the method used by most platforms: You will receive a confirmation email to the new address you provide. This will assure you typed in the e-mail correctly, will not stop anyone from changing the main login method though.
3. Confirmation through old address
Very few platforms send an email to the old address to check if I am the actual owner of this account. If I click the link in the mail or enter a number they send me, the adress is changed.
4. Confirmation through old and of new address
Just once I had to confirm with my old address that I am the owner of the account and got another email to the new address to check if it does indeed exist.
Looking back at it, it feels like the usual UX vs security conflict. While method 1 provides the most comfortable flow, I see the most issues with it as already pointed out.
Having to confirm the old address and the new one is kind of a hassle but from the methods pointed out the best way to keep the account of your users in their own hands.
Are there other common methods I am not aware of and what is generally considered best practice?