What do you find is the most secure way to handle a user's change of email? I was thinking about this for a while and I just wondered how others are handling it.
- Method 1: User changes email address, re-enters their password. Done. Verification is sent to the new address.
- Method 2: User changes email address, re-enters their password. Verification is sent to the new address and old address; "Your password has recently been changed. If this was not you, click here to revert to your old password."
- Method 3: User changes email address, re-enters their password, a verification code is sent to the new email address and the user must confirm within X days/hours. User can also cancel the request if they entered it incorrectly.