[tucif]

You probably would be considering this opens a vector for account takeover if both auth identifiers are “lost” and you switch emails to a new one. Hope changing that is tied to sending some kind of notification to the original email when that happens, with instructions to undo.

To prevent getting there in the first place, could you do the type of “is this info still alright?” as part of the login flow every now and then? May reduce some of the cases at least.

If this happens just too often, you may need to ask for another means of contact info. Additional email/phone, which should all be pinged whenever auth info changes.