2020-04-30
privacy
software
One does not change primary email address too often. When that happens, you likely want to change it in the various services and subscriptions you use. This can be a challenging task in itself - partially because the services have wildly different policies on how this happens. I'll categorise some of the ones I went through.
Most services use email as a primary user ID when logging in. Even the ones which use some account ID instead, you virtually always have an associated email address, so the problem of changing that is applicable.
During my latest email change I came across a few different approaches:
I believe there are at least two critical aspects of this process:
(Note: I'm writing this up somewhat later than I actually executed, and my notes are not precise. I may have gotten a few somewhat incorrectly. Also, things change over time - hopefully for the better!)
By the way, when I mention "verify email address" below, I refer to the process where you get a mail to that (new) address with some activation code in it that you need to use to get back to the original site, hereby verifying that you can read emails going to that address. This is not perfect but it's basically the best current practice.
We are professionals and we give you flexibility to do this.
The basic idea is the following: the service has, potentially, multiple email addresses that are associated with your account. Sometimes up to two, but perhaps as many as you want. One of these is designated to be the primary one (for whatever definition of primary - perhaps the one used to login, or notifications or else).
Changing your email in such a setup is quite straightforward: you add a secondary address, verify it, then designate this to be the primary one, and finally delete the old one. A couple of steps but very logical and secure.
Examples of this include GitHub and PyPI.
You want to change your email? Cool! Let's make sure everything is in order.
Here, when initiating a change, you can specify a new address, and you are asked to verify it. Once you do, the system changes to the new address and sends notification to both the old and the new address. This is important because:
One example of this approach is Linkedin.
The only constant is change. We will keep you in the loop while it happens.
Verification is for the weak! It's enough if you to type in an address (perhaps twice, using copy&paste to make sure...). The system sends a notification to both the old and the new address confirming the change.
Now, if you made a typo in your new address, and worse you don't even know what the typo is (because the page is closed, form is not reloaded, this is not mentioned in the notification, you name it) then you just lost access to your account. Customer care may or may not be able to help, it really depends on how advanced their backend is: if it records such actions then you're good. Then again, if they go as far as to record this, they are unlikely to allow such an error prone process. Who knows.
Examples: ACM, Mariott, Skype (!) and surprisingly Netflix. This last one is actually quite scary because in the mail to old address they don’t tell you what is the new address. Good luck if your password leaked. In their defence they do ask you to contact them if you did not mean to change, so presumably they can help :-)
Whatever happened, happened. Let's not dwell on the past any more!
In this case you enter the new address (verification? what verification?) and get a notification to your new address only. So if you didn't do this yourself, you'll be none the wiser; if you otherwise received whatever kind of mails from them, those will just not arrive in your mailbox any more. Until you want to log in next time (assuming you need the email to log in -- which is not always the case).
Examples: Artis (NL), Zilveren Kruis (NL) - though this later one does not need/use email for logins.
It's done. That's the only thing that matters.
Just enter the new address… no notification or verification whatsoever.
Examples:
Our way or the highway.
Greenwheels (a Dutch car sharing service) does not provide an online method to change your email address. Instead you're asked to open a ticket with customer service (ironically: via email) to let them make the change. And, for good measure they ask you to attach a scanned copy of your driving license (or ID?)... again, via email! My guess is they don't trust their own online system to handle this change automatically, and they prefer manual labour. Not sure how this prevents typos, but I do understand "this is for security"
Update: not sure when it really changed but as of January 2022 they no longer do this. Instead they follow the "Leaving the Old One Behind" procedure. Which is still not good enough, but it's better than what it was.
I'd recommend everyone to opt for "the sensible one" at a minimum. It's not that hard. The rest have gaps that nobody wants to deal with.
Finally a question: suppose I really want to leave the old address behind, for whatever reason. How can I possibly know where else I used my old address? I know of no way to answer this, besides being very meticulous with noting down all signups and registrations I do in my entire Internet life in a non-mutable way. Good luck with that...