It will one day come up that a user has forgotten their authentication mechanism AND lost access to their email address.
It is then down to the discretion of the application administrator to validate the identity of the user, through whatever means necessary.
If the application administrator is sufficiently confident that the user's identity has not been compromised, they should be able to offer a new password and/or change the email address used to log on.
A huge warning is necessary to show the application administrator at this point!
It will one day come up that a user has forgotten their authentication mechanism AND lost access to their email address.
It is then down to the discretion of the application administrator to validate the identity of the user, through whatever means necessary.
If the application administrator is sufficiently confident that the user's identity has not been compromised, they should be able to offer a new password and/or change the email address used to log on.
A huge warning is necessary to show the application administrator at this point!