Security issues of letting a user being able to change their email address?

Question

I'm developing a web app and currently I'm trying to decide whether or not to let my users to change their email.

If an account gets compromised the attacker only needs to change email and then reset password to gain complete control of the user account. However with no ability to change email address, the user can regain control and simply reset password to stop further rogue access to their account.

What do you think?

Answer 1

It is my opinion that user should be able to change all details associated with their person, including their e-mail address.

Minimum security measure should be: Ask the user to enter their password!:

E-mail changes should be handled with the same care as password changes:

Asking for their password would prevent somebody from changing the e-mail address for an already logged-in user; after changing the e-mail address, it is usually trivially easy to get a valid password for the account, effectively taking over the account completely.

E-mail confirmation scheme:
Added security measures can come in various ways, usually consisting of some sore of e-mail confirmation.
The difficulty with e-mail confirmation is that a common reason for users to change their current e-mail address is because they can no longer access it (changed jobs, changed providers, etc, etc).

A common scheme of e-mail change confirmation is the following:

1. Send an e-mail to the new address with an "confirm e-mail change" link (make sure it is a working e-mail address).
2. Uppon receiving the confirmation from the new address
   • Change the e-mail address.
   • Send an e-mail to the old e-mail address with the option to "Revoke e-mail change" link (this option should be valid for 30 days or so).

Extended security with e-mail confirmation:
For some high-risk accounts, you could only allow 'limited access' to the account for as long as the 'revocation period' is still active (the above mentioned 30 days or so).

In addition to the "Revoke e-mail change" link, you can provide a "Confirm e-mail change" link in the e-mail send to the old address. Clicking the link would make the change of address permanent, ending the revocation- and 'limited access' period immediately.

UPDATE
There seems to be some confusion about what is compromised if somebody is 'Logged in'.
There are quite some options for a fraudulent person to gain access to a logged-in account without knowing the password.

Consider for example the option where somebody simply walks away from the keyboard, or, has chosen to use some sort of 'remember me' functionality (either provided by the browser or by the website itself)

While this is bad, a well designed system would/should limit the damage by not allowing any account-damaging actions to happen without asking for the user's password again.

The prime example for this is:
Ask the user for his/her current password if they want to change it.

Answer 2

Retain the old e-mail address for a while, and allow it to be used to reset the password.

Answer 3

Only let authenticated (logged in) users change their email address. If the account is compromised then they already have complete control over it. Changing email address in this case should be the least of your worries! :)

Answer 4

Send a confirmation email to the original email address requiring some confirmation action before making the change.