Some time ago I faced a challenge to design secure method for change email process in our authentication service. Every system has an user and usually uses the email address as a login to the systems. Moreover, they use email address for the purpose of communication with the end user. Even if we had an artificial login name in system, we should still care about the way, how we communicate with the user. Additionally systems use email address for forget password functionality, so it is very sensitive to change or acquisition by potential attacker. That’s why we need to secure it very strong.
There is also a good idea to give the customer a possibility to change the email address defined in system. Especially, if you want to have a long term relationship with him/her.

That’s why it is very important to secure the process of change email address properly. Many sources describe the process of reset password very often, but I didn’t find any information about changing email address.
We will consider two dimensions: action on email address (create or update) and the origin of the request (admin or end user). The whole flow relies on the email sent to the user, both informational and actionable.
Below you can see the diagram of flows for each cases.

Process definition

Add user flow (triggered by user):

1. The user creates a new account
2. The application saves the request to create the user.
3. Application sends an email to confirm the email address. 
4. In case of no confirming, system doesn’t create user account and user account request is removed. 
5. In case of confirmation, system send informational email to new address and create a user database. 

Add user flow (triggered by admin):

1. Admin create new user. 
2. Application sends informational email to new address. 

Change email process flow (triggered by user):

1. User changes his email address. 
2. Application saves the request to change the email address. 
3. The application sends an email to confirm the email address change. 
4. In case of no confirming, system remove the change request from database.
5. In case of confirmation, system save a new email in the database.
6. Then it saves revert change request and the send email to old address with the function to the change.
7. In case of ignoring this email, system removes “revert change” request after some delay.
8. In case of when user decides to reject change, system revert the email address in the database using the stored previous value.

Change email process flow (triggered by admin):

1. Admin change his email address. 
2. Application sends informational email to old and new address. 

As you can see on the diagram above we need to sent a few informational emails to user. We can specify following mail types in the process:

1. Information email to new address. 
2. Information email to old address. 
3. Request to confirm new email sent to new address. 
4. Information email to old address with the functionality of revert email change (new email should be anonymized like ad*****@br*****.org)

The application doesn’t apply the change of the email immediately. It change it after the confirmation by the affected user on new email (3). Moreover, system notify the user on the old email, that email was changed (4).

That way of changing email is secure against any type of hijacking the account and gives the 100% assurance, that email address is correct.