Confirm change of e-mail before updating it in database

[ActorMike]

Is there a way to only update an email address after the user has confirmed it? Amazing people are too lazy to unsubscribe, so they are putting in fake email addresses instead. We don't require email confirmation upon registration BTW.

 

[Onlyme]

Confirm new email from the old email would be a nice feature. If a users account has been breached they couldn't change the email and the owner would still be able to recover the account.

 

[ActorMike]

Confirm new email from the old email would be a nice feature. If a users account has been breached they couldn't change the email and the owner would still be able to recover the account.

I think the new email address must be confirmed before the old email address is removed. What if a user puts in someone else's email address? The way XF currently works, the new email will start receiving messages without authorizing it. Could be a potential problem. Many websites work this way now.
@Mike any thoughts?

 

[Onlyme]

I think the new email address must be confirmed before the old email address is removed. What if a user puts in someone else's email address? The way XF currently works, the new email will start receiving messages without authorizing it. Could be a potential problem. Many websites work this way now.
@Mike any thoughts?

That doesn't help if the account has been breached, they could just update and confirm the email to their own.

But however it's implemented I totally agree with you that emails should be confirmed and I'm supprised it's not already a feature.

 

[ActorMike]

That doesn't help if the account has been breached, they could just update and confirm the email to their own.

Correct, I never suggested it for anything breach related. It's definitely an outlet that could be leveraged for misuse, and as also noted, for some bizzare reason some users will put in a bogus address rather than simply unsubscribe.

What you suggested is not practical, because many times users no longer have access to the old email account to approve the change.

 

[gogo]

Correct, I never suggested it for anything breach related. It's definitely an outlet that could be leveraged for misuse, and as also noted, for some bizzare reason some users will put in a bogus address rather than simply unsubscribe.

What you suggested is not practical, because many times users no longer have access to the old email account to approve the change.

After changing the email address there will be a highlighted notice on top of every page of the forum:



At the same time you're not able to create any new messages that makes your account inactive before confirmation of new email address. People usually will be aware of the wrong email address they've provided and will change it right away.

But.. if the owner of the wrong email address acts quicker than you, he receives the email address confirmation mail and click the confirmation button. Then hit the forgot the password link.. he can actually steal your account by that.

That is actually a problem. So two step verification is needed to protect your account.

 

[Harvey]

I'm not totally following this thread, but my forum is asking me to approve a new members change of email address.

Clearly XF is trying to protect me from something. Not sure what.

Neither email (old or new) is on the forum spam list and the geography looks legit. (most of our legit members are from a specify part of the US).