Should we allow the user to change their email address? (if using PasswordCredentials?).
It would be hard to forget password if we didn't allow that.
What happens if they are registered with their SSO email, and they change that behind the scenes?
How do we correlate the userId in our system with the new email address?
Should we allow the user to change their email address? (if using PasswordCredentials?). It would be hard to forget password if we didn't allow that.
What happens if they are registered with their SSO email, and they change that behind the scenes? How do we correlate the userId in our system with the new email address?
The change process is quite elaborate if we are following OWASP recommendations? https://owasp.org/www-community/pages/controls/Changing_Registered_Email_Address_For_An_Account