Search code examples
algorithmasp.net-coresecurityemail-validation

Web application change email algorithm

I am developing an ASP.NET Core web application with user management functionalities. My question is about the email address changing algorithm. Almost every web app I saw before have the following flow:

  1. User authorized
  2. User requested an email address change
  3. User received a message on the new mailbox with the confirmation link
  4. User clicks the link and the email address updates

But I think, this algorithm might be a bit insecure and that is what I want to discuss here.

How about this flow:

  1. User authorized
  2. User requested an email address change
  3. User received a message on the old mailbox with the confirmation link
  4. User received a message on the new mailbox with the second confirmation link
  5. User clicks the link and the email address updates

With this additional step in the middle of the algorithm, things may be much better from the security perspective, but would it be too complex or not? How do you think what algorithm I should implement? And what would you prefer if you will be in my shoes?

Solution

  • The main problem with this approach is: what happens if the user no longer has access to their original email account? Perhaps it was a work/school/uni account that they no longer have, or perhaps they've just forgotten their password or otherwise lost access to it.

    With your second approach, they are not going to be able to update to the new account, because they'll never receive the first confirmation link.

    How about the following approach instead:

    1. User requests an email change.
    2. Require the user to re-authenticate with their current password (just like when they change their password).
    3. Send a confirmation link to their new email.
    4. Send a notification to their old email, with the details of the change, and instructions of what to do if they didn't initiate the change.
    5. User clicks the link to update or contacts your support to say their account has been compromised.

    This way you still provide them with an alert that someone is trying to change their email (and potentially a means to stop it), but a user who has lost access to their old account will still be able to update their email.