Should the user be given the right to change address?

On the website there is only classic registration and login via Facebook (phone, sms, etc. no).
Question: whether has sense to give users the right to change the email address, for example if they log in through it and enter the mail left, just behind them. Whether it will lead to the security hole for good users? And how to change the e-mail if the old user does not have access?
July 5th 19 at 00:06
1 answer
July 5th 19 at 00:08
Solution
Question: whether has sense to give users the right to change the email address, for example if they log in through it and enter the mail left, just behind them. Whether it will lead to the security hole for good users?

To give is right, but through the support and ONLY ONCE! Also, you should inform the user.
This task depends on the activity of the company. I have for example more than 7 email addresses personal use + corporate email address.

And how to change the e-mail if the old user does not have access?

No, not right. To change mail you need to develop additional "level" of security. For example, the user must enter the old password (to store a table of hashes), or answer a few questions. Or a secret phrase, a word...

Find more questions by tags Information security