How to let users change their email? SAFELY

scenario

  1. It is a SPA
  2. Using email / password login (not social like Google …)
  3. There is a user who is already logged in, and the person’s email is already verified
  4. The user wants to change the email because the person doesn’t have the access to the email account anymore
  5. There is a link “change your email” on the website
  6. User enters a new email address + login password to protect from account squatting
  7. User gets an email verification to that new address
  8. After verifying the new email address, finally update user’s email via Auth0 Management API v2

If I simply change their email upon their request, the new email can be something different from what they think they own. (e.g. mis-typing can happen abc@example.com => abd@example.com)
Resulting they don’t get emails from us, and/or they can’t login with the new email address (trys to login with abc@example.com when it’s registered with abd@example.com)

If I don’t ask them for their password, somebody who gets access to the website can just take over the account. (e.g. people don’t always intentionally logout every time they leave the computer - may only just close the browser)

The steps would be

  1. somebody opens the website where its credentials are still valid without password
  2. goes to “change your email” and finish verifying the email
  3. goes to the login page, and click “forgot your password” to reset the password

As far as I searched, Auth0.com doesn’t provide this kind of mechanisms out of the box.

The parts I am having trouble trying to figure out are …

  1. entering a new email that can later link to the login user
  2. letting them type in correct password before adding a new email

Autho0.com itself doesn’t let users to change their email at all. Instead, it asks the user to add a new administrator, and delete the old one … so is this even possible with Auth0?


I found these related posts, but they don’t cover my scenario.

5 Likes
  1. entering a new email that can later link to the login user

For this one, maybe I can simply send a random ID to the new email a user enters. When the user enters the same ID on the website, the server can simply use PATCH /api/v2/users/{id} to update the email? I guess.

  1. user clicks “change your email”
  2. browser shows an input for a new email
  3. user enters a new email
  4. browser generates ID, and send a signal to the server, so it sends an email with the ID
  5. user opens the email and find the ID
  6. user comes back to the browser and enters the ID
  7. when the ID matches, send a signal to the server so it changes the user’s email

But I am still left with the password protection onto actually changing the email.

Bump on this, we want to implement the same exact functionality.

1 Like

I know this is old but this looks like it would be useful in this scenario:

Max Age Reauthentication

Hello,
Given that email address is a unique identifier of a user & providing an ability to change the email-address via self-service should be considered a very sensitive operation, so care must be taken to verify the user’s ownership to his current logged-in account along with the ownership to his new email address before changing the user’s email is important.

  • In order to verify user’s current ownership, this can be achieved by having the user go through step-up aka prompting a user to re-enter password or challenge with MFA (if already enrolled).

  • In order to verify the ownership of the new email address, this can be achieved by sending an OTP code/verification link to the new email address. Auth0 passwordless email feature can be used to perform this.

Once the above 2 things are successfully completed, then the user’s email can be changed by calling Auth0 Management API v2 Update User endpoint.

Please do note that changing an user’s email will terminate all SSO sessions of the user for security reasons, so it is important to prompt the user to re-enter their credentials using new email address/password.

Depending on the UX experience that you’re looking for, there might be few ways to do implement this. For a generic detailed design, please see this github repo. In case, more guidance is needed, Auth0 Professional Services can definitely assist in designing/implementing an architecture to suit your UX needs along with aligning to security best practices.

Hope that helps!

4 Likes

Thanks for update and quick reply. I’ll be sure to keep an eye on this thread. Looking for the same information.

www.rapidfs.com

1 Like

Hello,

@praveen.addepally , I have a problem with implementing according to your answer.
After the second step (Passwordless Authentication with Email) when user successfully click on verification link in email and athenticate to application, Auth0 creates new user with new email.
So calling endpoint PATCH /api/v2/users/{id} to update users email results with exception that email already exists.
Could you please advise how to deal with it?

Also, it is normal workflow that if new email is not verified yet, user normally can use the old one.
And the steps you provided sounds like a weird workaround and normally this functionality should be available out-of-the-box

2 Likes

Hey Alexander, I know it’s been a while but I was wondering if you managed to solve that issue?

@ale.spodin - Reg your question, yes a brand new user will be created under the passwordless email connection with the new email. Please note that the email address is unique within a connection & if you are calling the PATCH /api/v2/users/{id} with the user_id of the email/password user, then ideally you shouldn’t receive the “user already existing error”. One scenario I could think of where you might get this error is if you already have a user with the new email in the email/password connection.

Agreed, it would have been nice to have this feature supported out of the box. I checked internally & I do see feature requests on this but unfortunately, they did not make it to the roadmap compared to other requests.

Is there any update on supporting changing email out of the box? Is this still the suggested workaround @praveen.addepally?

1 Like

Is there an updated recommendation for this flow ?

1 Like

I’m also looking for a way to allow user to change their email using the auth0 universal login without going the API route

3 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.