[powersnail]

Email isn't secure, but neither are phone calls.

If a customer emails to cancel, just email back a cancellation link that requires signing in. I think that's a good middle ground.

[Silhouette]

Sure, but you can exchange credentials over the phone with acceptable safety in most situations, after which it's reasonable to accept that the other person is who they claim to be.

Obviously if someone does email asking to cancel, a suitable method of cancellation should be explained to them.