Adventures in Changing an Email Address

2020-04-30
privacy software

One does not change primary email address too often. When that happens, you likely want to change it in the various services and subscriptions you use. This can be a challenging task in itself - partially because the services have wildly different policies on how this happens. I'll categorise some of the ones I went through.

Most services use email as a primary user ID when logging in. Even the ones which use some account ID instead, you virtually always have an associated email address, so the problem of changing that is applicable.

During my latest email change I came across a few different approaches:

  • the highly professional one (that perhaps not everyone needs)
  • a sensible one
  • a reactive one
  • one that leaves something behind
  • a very silent one
  • a weird one

I believe there are at least two critical aspects of this process:

  • assuming you actually want to make a change: the process should be easy enough while it should prevent manual errors such as typos
  • if you did not intend to change, i.e. some attacker is "doing this for you" because your password was leaked or such: you really want to get notified that the change was made and some means for reverting it

(Note: I'm writing this up somewhat later than I actually executed, and my notes are not precise. I may have gotten a few somewhat incorrectly. Also, things change over time - hopefully for the better!)

By the way, when I mention "verify email address" below, I refer to the process where you get a mail to that (new) address with some activation code in it that you need to use to get back to the original site, hereby verifying that you can read emails going to that address. This is not perfect but it's basically the best current practice.

Professional Approach

We are professionals and we give you flexibility to do this.

The basic idea is the following: the service has, potentially, multiple email addresses that are associated with your account. Sometimes up to two, but perhaps as many as you want. One of these is designated to be the primary one (for whatever definition of primary - perhaps the one used to login, or notifications or else).

Changing your email in such a setup is quite straightforward: you add a secondary address, verify it, then designate this to be the primary one, and finally delete the old one. A couple of steps but very logical and secure.

Examples of this include GitHub and PyPI.

The Sensible One

You want to change your email? Cool! Let's make sure everything is in order.

Here, when initiating a change, you can specify a new address, and you are asked to verify it. Once you do, the system changes to the new address and sends notification to both the old and the new address. This is important because:

  • you know that everything worked
  • if you did not initiate the change (site was hacked, your password leaked, etc.) you really want to know at your old address...

One example of this approach is Linkedin.

The Reactive One

The only constant is change. We will keep you in the loop while it happens.

Verification is for the weak! It's enough if you to type in an address (perhaps twice, using copy&paste to make sure...). The system sends a notification to both the old and the new address confirming the change.

Now, if you made a typo in your new address, and worse you don't even know what the typo is (because the page is closed, form is not reloaded, this is not mentioned in the notification, you name it) then you just lost access to your account. Customer care may or may not be able to help, it really depends on how advanced their backend is: if it records such actions then you're good. Then again, if they go as far as to record this, they are unlikely to allow such an error prone process. Who knows.

Examples: ACM, Mariott, Skype (!) and surprisingly Netflix. This last one is actually quite scary because in the mail to old address they don’t tell you what is the new address. Good luck if your password leaked. In their defence they do ask you to contact them if you did not mean to change, so presumably they can help :-)

Leaving the Old One Behind

Whatever happened, happened. Let's not dwell on the past any more!

In this case you enter the new address (verification? what verification?) and get a notification to your new address only. So if you didn't do this yourself, you'll be none the wiser; if you otherwise received whatever kind of mails from them, those will just not arrive in your mailbox any more. Until you want to log in next time (assuming you need the email to log in -- which is not always the case).

Examples: Artis (NL), Zilveren Kruis (NL) - though this later one does not need/use email for logins.

Very Silent Operation

It's done. That's the only thing that matters.

Just enter the new address… no notification or verification whatsoever.

Examples:

  • ING - though to be fair they don't use email for logins -- in fact they don't use email often in general
  • NS (Dutch Rail) resulted in "500 fout in het verzoek", but the change happened. The error may explain why no emails were sent.
  • OV-chipkaart (Dutch public transport card) resulted in "404 page not found" at somewhere in the process. This may be the reason why there were no emails sent at all, even though the documentation claims otherwise. In any case the email change actually happened.

Weird One

Our way or the highway.

Greenwheels (a Dutch car sharing service) does not provide an online method to change your email address. Instead you're asked to open a ticket with customer service (ironically: via email) to let them make the change. And, for good measure they ask you to attach a scanned copy of your driving license (or ID?)... again, via email! My guess is they don't trust their own online system to handle this change automatically, and they prefer manual labour. Not sure how this prevents typos, but I do understand "this is for security"

Update: not sure when it really changed but as of January 2022 they no longer do this. Instead they follow the "Leaving the Old One Behind" procedure. Which is still not good enough, but it's better than what it was.

Conclusion

I'd recommend everyone to opt for "the sensible one" at a minimum. It's not that hard. The rest have gaps that nobody wants to deal with.

Finally a question: suppose I really want to leave the old address behind, for whatever reason. How can I possibly know where else I used my old address? I know of no way to answer this, besides being very meticulous with noting down all signups and registrations I do in my entire Internet life in a non-mutable way. Good luck with that...


© Kistel