Best practices for email change confirmation?

davidb · 2025-01-14T18:13:20.532Z

What are the best ways that developers have found to enable users to reliably revise their email address in your app?

Issue
AFAIK, the only way to generate an email confirmation link is to first revise a user’s email. If a user mistypes the new email, that turns into a deadend since the confirmation link goes to an address the user can’t access but that incorrect email is already saved as their credential for signing in to your app.

I see a few instances of this question posted last year (Mar, Aug, Nov).

Solutions

Custom one-time code: I see one solution posted. @maindola.yogini suggests skipping Bubble’s native email confirmation and instead using a custom one-time code to allow a user to verify a new email before actually updating their sign-in credentials.
Expiry and reversion: I suppose it would also be possible to archive the user’s previous email address, go ahead and change their official account email to the new address and send Bubble’s native confirmation link, but revert their credentials to the previous address if the new address is not confirmed within a specified period.
Skip confirmation: I notice some Bubble apps don’t use any verification. That seems imprudent since a user could so easily end up locked out by unknowingly mistyping their new email address. Although, maybe those apps provide a function for users with elevated privileges (e.g., tech support, team admin) to correct another user’s incorrect email, and find that suffices because it’s infrequently needed.
Custom-manage multiple addresses: Out in the non-Bubble wild, a sensible approach I observe many apps to use is to allow a user to add multiple email addresses to their account, with one being the default and disallowing any unverified address from being selected as the account’s default. This could be implemented in a Bubble app using the one-time code approach.

What have you implemented that works well?

samnichols · 2025-01-14T21:33:51.754Z

Use #1. It’s the easiest way to ensure they don’t mess it up.

I’ll be honest, I don’t have this step. They have to enter the new email twice when they change it, and after nearly 3 years with ~3K user accounts, this hasn’t once been an issue.