They said I need to inform the user how they can verify their identify given they no longer have access to the email address on the account. Any ideas?
I would say: If they cannot verify their identity, you do not need to answer any GDPR requests.
How you verify the identity of your users is up to you. This has nothing to do with XF.