Best Practice to Verify User Identity Before Email Update in Auth0

Get Help
,
1

Hello Auth0 Support Team,

We have a question regarding email update verification in Auth0.

Scenario

A user signs up using Email/Password with the email:
nihal@myworth.ai

Later, the user attempts to update their email address to:
nihal@abc.ai

Question

What is the recommended and secure approach in Auth0 to verify that the user requesting the email change is a valid and authenticated user before updating the email on their account?

Specifically, we would like guidance on:

Whether Auth0 supports email change verification flows out of the box

Best practices to:

Confirm the user’s identity (e.g., re-authentication, MFA, password re-entry)

Verify ownership of the new email address

How to prevent unauthorised email updates if a session is compromised

Our Goal

We want to ensure that:

Only the rightful account owner can update the email

The new email address is verified before becoming active

The process aligns with Auth0 security best practices

Any documentation references or recommended implementation patterns would be very helpful.

Thank you for your support.

Best regards,
Team myworth.ai

3

Hi @nihalm5930,

Welcome back to the Auth0 Community!

Allowing an email change based solely on an active session is risky because if a user leaves their browser unattended or if a session is hijacked, an attacker can “take over” the account by changing the email and then triggering a password reset.

A secure flow must solve three problems:

  • Authentication Freshness: Ensuring the person at the keyboard is still the owner (preventing session hijacking).
  • Proof of Control: Ensuring the new email address is actually reachable and owned by the user.
  • Account Recovery: Ensuring the original owner is notified so they can revert the change if it was unauthorized.

Here’s a 3-step solution for your needs:

1. Confirm Identity (Step-up Authentication)

Before you even show the “New Email” input field, you should require the user to re-verify. In Auth0, you can trigger this by redirecting the user to /authorize with specific parameters:

  • max_age=0: This forces the user to log in again, even if they have an active session.
  • MFA Challenge: If the user has MFA enabled, you should specifically trigger an MFA challenge.

2. Update the Email via Management API

Once the user has re-authenticated, your backend should call the Auth0 Management API PATCH /api/v2/users/{id} endpoint.

Security Best Practice Payload:

{
  "email": "nihal@abc.ai",
  "verify_email": true,
  "email_verified": false,
  "client_id": "YOUR_CLIENT_ID"
}
  • verify_email: true: Auth0 will automatically send a “Verification Email” to the new address.
  • email_verified: false: This ensures the user cannot use features of your app that require a verified email until they click the link in their new inbox.

3. Prevent Unauthorized Access (Post-Login Action)

To ensure the user doesn’t gain full access with an unverified “new” email, use an Auth0 Action to block them until the verification is complete.

exports.onExecutePostLogin = async (event, api) => {
  if (!event.user.email_verified) {
    api.access.deny('Please verify your new email address before continuing.');
  }
};

You will likely want to customize the Email Verification template in the Auth0 Dashboard (Branding > Email Templates). Ensure the “Redirect To” URL points to a success page in your application where you can instruct the user to log in again with their new credentials.

If you have any further questions, please don’t hesitate to reach out.

Have a good one,
Vlad