So you could only allow an email change if the user proved they owned the new email account by clicking a link or entering a code sent to that account?
Seems like a natural option.
Of course, allowing you to disallow email changes seems pretty reasonable too.
The issue if I remember correctly was that you could require the email to be verified. But while that verification was pending, it would already use the new email as the user’s asserted attribute.
So you could only allow an email change if the user proved they owned the new email account by clicking a link or entering a code sent to that account?
Seems like a natural option.
Of course, allowing you to disallow email changes seems pretty reasonable too.