Auth0 Home Blog Docs

Update User Email The Right Way - Part 2


#1

Hello,

I’d like to have a safe and secure way for my users to change their email address.

By safe and secure , I mean that an user shouldn’t be able to set an email that s-he does not control, in order to avoid:

  1. account squatting
  2. users getting locked out of their account, without any usable mean to recover it

With a PATCH on /users/ endpoint of the management API, the new email erases the old one, even if it’s not verified yet. This means the user can potentially be in a state where her-his account has no verified methods for recovery.

There’s been a similar request from another user on the old forum

https://community.auth0.com/t/login-with-old-email-until-new-email-is-verified/5329

The desired workflow was :

  1. User changes his email
  2. A verification email is sent to the new email address
  3. The user will only be able to login with his old email and password until the new email is verified
  4. Once the new email is verified the user can only login using the new email address

But the provided answer (link a new identity and delete the old one) doesn’t seem to be completely satisfying and is potentially dangerous.

A malicious user could block others from signing up by attempting to change its email to one that he doesn’t control, thereby linking a new identity to its account, and that unverified email would stay there, preventing the legitimate owner of the email address to sign up.

This angle of attack would be mitigated by the ability of the legitimate user to connect to the malicious account and remove itself from the identities (assuming that a full identity management interface is implemented), but that’s far from a simple and zero-friction scenario.

Can someone please tell me if there is a recommended sane way to update an user’s email with auth0 ?


I copied this question from a previous post, but no one answered the question sufficiently. Forcing verification on all emails is not a satisfactory solution for many workflows including my own. In our company’s application, the user is allowed to login without verification. He simply is limited in functionality until he verifies. After verification, he gains this additional functionality. Changing email should have no impact on the user record until after the new email has been verified. Until this time, the original email should remain tied to the user record.

This is a fundamental workflow for updating emails. It is critical to our workflow as i’m sure it is to many others. A well documented implementation process is imperative. Can someone please provide this sane solution for the large number of companies who use this type of workflow?

Thank you for your prompt response.


#3

In the current implementation I believe you would have to build all of this yourself. Something like:

  1. Your own “change email” feature that stores the new email in user_metadata or app_metadata,
  2. Your own email validation flow that sends a validation email to the user including a magic link,
  3. Magic link triggers a process that changes the user.email attribute for whatever was previously stored in metadata and then takes the user to your web page or hosted login page.

You’d want the native email validation disabled.