22Oca
What is the correct way to implement a change-of-email request flow?
I am currently implementing a change-of-email request flow for a web service without MFA. My initial approach is to consult the current OWASP Guide for such a flow. In reading the document, I've realized this is quite different from the flow I typically see on websites, even Fortune 100s.
The TLDR for the OWASP recommendation is:
- Verify user session upon request
- Send two emails with confirmation and cancellation URL, both time-limited and linked to the user.
- One to the user's current address
- Another, to the user's new address
- Only after requests have been made to BOTH confirmation URLs, the account information in the data store is changed.
- If a request is made to either the cancellation URLs, the flow is cancelled.
- After that, typical session invalidation / force re-authentication.
This all sounds good and quite secure, but it doesn't align with what I see implemented in the wild. A more typical flow, for example on Reddit is:
- Re-authenticate user with password upon request
- Send a confirmation link to the new email address
- (optionally seen on many other sites) Include some message that "If you did not make this request, this email can be safely ignored"
- Upon confirmation, change the address of the user in the data store
My question: Is this abridged flow sufficient from a security standpoint?
