security – Can I securely allow users of my site to change their email address if they forgot their password and no longer have access to the old email address?


How do I securely allow users to change their emails if they lose access to the original email? Do I need 2 factor?

It’s a social media site coded in nodejs where I have their username, password, and email address. Users sometimes want to change their emails because they lost their password to their old email address. However I use sending confirmation emails to their email as my way of authentication for actions like changing password. What can I do or is there no way but to just allow this be an insecure action.

I’m concerned that if someone, say a girlfriend or a roommate gets access to a computer that person is on and claims a lost email they can take over the account.