Changing password: Verify with old password, verify by email, or don’t verify?

Scenario

I want to change my password.

I have access to my account, this is not a forgotten password journey.

I've seen three approaches to this.

Method 1: Re-verify with old password

  1. Log on
  2. Navigate to my account panel
  3. Choose "Change password" option
  4. Enter my current password (verifying I know the account details)
  5. Enter my new password
  6. Submit, password is changed

This is probably the most common, and the most secure, as you have to verify immediately before changing the password.

If you gain access to someone else's account when they're already signed in (perhaps because they opted to save their log in details) you can't change their password.

Method 2: Re-verify by email

  1. Log on
  2. Navigate to my account panel
  3. Choose "Change password" option, the system emails me a password reset link
  4. Open email client and locate the message
  5. Follow the link (verifying I have access to the email account)
  6. Enter my new password
  7. Submit, password is changed

This is easiest for users who have quick access to their email on their device. Presuming you have email set up in a local email client, you open the client, open the most recent email, and follow the link, skipping the "enter current password" step. You might even get a push notification, which would make this even faster.

However this is probably slowest for users who don't have quick access to their email.

Method 3: Don't re-verify

  1. Log on (verifying I know the account details)
  2. Navigate to my account panel
  3. Choose "Change password" option
  4. Enter my new password
  5. Submit, password is changed

This is the quickest method, with the lowest interaction cost.

Arguably the user is already logged in, and therefore verified, so shouldn't need to reverify.

This assumes scenarios where an unauthorised user has gained access to the account panel are too rare to justify complicating the process.

Weighing up the options

Is there anything I've not considered?

I'd like to go with option 3, but the fact it's so rarely seen makes me think there's something I'm missing.

If it was only between options 1 and 2, I suppose I'd go with option 1, since we can't know if the email is readily accessible.

Tags: