Like with the password retrieval system, we have to make sure that
this can't be used to detect who are users. I propose that we use the
same solution I've seen elsewhere (I believe Bugzilla implements it).
It works like this: The user logs in and requests an email address
change. The system then sends an email to that address, with a
validation link, where the password has to be supplied in order to save the change. Now we can consider the scenarios:
- If all goes well, the user just clicks the link, supplies the password, and our system changes the address of the user.
- If the user has supplied an invalid email, nobody will get the email, and nothing changes. The user will not know whether the email had been registered at the site (privacy), and will not have any problems with password retrieval (safety).
- If the user has supplied a valid email she doesn't have access to (whether it belongs to a user or not), the receiver can use the validation link, but doesn't have the password, so nothing is changed. I.e
., you can't accidentally "give" your account to someone else.
- If the user has supplied an email already belonging to a different user, and she (the submitter) has access to it, she will be notified that the operation cannot be done
after the password has been validated on the validation page. This is safe since she has access to the email account, and we're therefore dealing with one person / company having multiple accounts. In this case, we could kindly suggest to the user to delete one of the accounts, and use the other, referring to the password retrieval page in case that's the reason the user created multiple accounts.
I think this would be a very good solution for our users, making sure they never lose neither privacy nor their accounts, while maintaining the uniqueness of the emails registered.