Change of Email

[Hasi]

What do you find is the most secure way to handle a user's change of email? I was thinking about this for a while and I just wondered how others are handling it.

• Method 1: User changes email address, re-enters their password. Done. Verification is sent to the new address.
• Method 2: User changes email address, re-enters their password. Verification is sent to the new address and old address; "Your password has recently been changed. If this was not you, click here to revert to your old password."
• Method 3: User changes email address, re-enters their password, a verification code is sent to the new email address and the user must confirm within X days/hours. User can also cancel the request if they entered it incorrectly.

Anyway, how are you handling/ planning to handle change of email?

 

[judda]

@Hasi I personally would go with method 3.  It protects the user from people who may have gained access to their account via any sort of security issue (i.e. cookie grabbing, session sharing, forgot to log out of a public computer).  While not being overly intrusive to the user experience.

[volka]

Quote

• Method 3: User changes email address, re-enters their password, a verification code is sent to the new email address and the user must confirm within X days/hours. User can also cancel the request if they entered it incorrectly.

1

This is not secure - the second method is far more secure than this just because you give the user the option to reclaim their account. To be secure, the email should be sent to their original address, where they are asked to confirm that they want to change their email address to the new address, and it should be only after the user responds from the original address that it is updated and put through the verification process itself. The time limit of response adds very little to the security (but doesn't hurt).

With what you have described, provided that I had that information and I was inside someone else's account, I would be able to easily take control since the verification for the process is coming to my (the attacker's) email address.

[Anoua]

I think sending an email to the original email like in Method 2 is probably a good idea or at the least not a bad one. Though the message should be about the email being changed, unless you are proposing only if the password is immediately changed after too send an email. But it doesn't hurt to send an email with the option to somehow recover the account. Could even be a reset the email back to the original and go through the password reset process.

But I haven't done this with Eliyo at this point. If there were issues and someones account was breached I would try to manually resolve the issue. Though people are responsible for their own passwords too.  But I haven't really ran into this scenario anyway, more situations where people needed me to change manually their email since they didn't have access anymore (well this was for Animal Acres which older) and couldn't remember their password.  

 

[volka]

Changing emails manually is only viable for very small websites and in no way recommended. You can potentially lose users doing it this way, also, as it is very clearly unprofessional and insecure; just because you’re doing it manually does not make it infallible. After all, you won’t always actually KNOW that it’s the original user contacting you, people require the same verifications that computers do. There’s definitely a reason you could never call a company and try to change your email without some further verification, and in this instance password might not even be good enough, as plenty of people save information to their browsers. Actually, considering that, password isn’t always enough unless you know how to name your fields properly to restrict autofill access (meaning none of these methods are appropriately secure).

 

Realistically, changing vital information should employ two-factor authentication of some sort. During registration you can always give options to set security questions, attach a phone number (and verify it to make sure it’s compatible with your verification method), or require a unique code sent to the original email address (which would not help in the case of not being able to access the original email).

 

[Anoua]

@volka 

Not sure if you are referring to my comment, but I feel like you are since no one has mentioned manually changing emails as an option. So I will clarify that Eliyo and Animal Acres both let you change your email yourself right in your account settings. 

Edited May 4, 2018 by Anoua

[volka]

I was - it’s an older thread, you’re the only one who responded recently, and the only response that’s mentions manually setting anything.

I did understand that you were talking about in instances where a user has lost access to their original email they signed up with. You apparently edited out the second part, but in case you still don’t see what I was saying (or other people reading this in the future don’t), it’s basically just that you need more points of verification to make that kind of process secure. If you emailed any major company and said you needed access to an account where you no longer had access to the email or your password, you would be very unlikely to be given access to that account by any means. This is why I mentioned things like security questions or telephone verification.

Honestly, if someone contacted me saying that they no longer had access to their GoneMushing account because they didn’t have access to the email and forgot their password, there’s zero chance I would give them access. I would have to advise them to register a second account if they didn’t have a secondary email or phone number in our system. Since we are a very small game I might have workarounds IF there was anything of actual monetary value in their account (ie, they purchased the registration codes, had an active subscription, or had credits in their account) but that would still involve emailing the original address to verify and moving ahead only if it either bounced or did not respond within thirty days.

[Anoua]

@volka Oh honestly. Of course I do more than just change an email because someone messaged me. But this thread isn't about that so no I did not go into details about my process nor do I intend right now, especially not when I find your tone and attitude to be one of disrespect, and again it would be off topic anyway. My point in mentioning it was I would have to manually handle the situation, including verification yes and then if appropriate updating an email. If you would rather do things differently than that is your prerogative but I manage my games how I would want them to be managed for games I play. 

 

[volka]

I apologize that you felt I was being disrespectful; while I was referencing what you said I was in no way talking directly to you. I also did not assume, and in no way meant to imply, that you were doing that. I only expanded on it because you originally had posted (which was in the email I got) that you couldn’t see how a secure system could handle that automatically; I was explaining how it could, for anyone who reads the thread and similarly cannot imagine it on their own.

 

Everyone is always allowed to run their own games in any way they want, of course, but I was simply saying that changing things manually is not advisable (for any information or circumstances, really). Again, not directed at you or implying that you should change, just making a statement since this forum is one of the only major resources available to novice programmers seeking to make a game of this sort. People unfamiliar or just beginning likely do not understand it to the degree that you do, and in those cases it’s even less advisable.

 

Again, sorry if I came across that way, my usage of the word “you” wasn’t meant to be personal, but more along the lines of the way you would use “one” - general and broad, as those statements are ones that apply generally.

 

I usually proofread my posts much more at length for tone to avoid this sort of thing, and lacking that did not catch it. I only ever seek to educate people, not criticize their choices. That is unproductive and undermines a community setting that should be about education. And education, I feel, is about arming people with information to accomplish whatever they might want, not dictating exactly how they should do it.

 

 (There are, however, industry “best practice” standards that should definitely be shared that way as they are highly encouraged.)