Secondary email features (partially?) ineffective

[mwalzer]

Describe the bug
If an account holder loses access to the primary email, and an email verification challenge is issued, the account gets quasi-disabled even if a secondary (verified) email is registered to the account and any or all account verification details sufficient for successful login are present (password+TOTP, recovery codes). In this case, no account action except for login and Resend verification email is possible. I assume this is unwanted behaviour, otherwise what are the secondary emails good for?

Expected behavior
A successful authentication and login should allow a primary email switch and/or removal of the inaccessible email.

To Reproduce
This is hard to reproduce, but creating an account with primary and secondary email, verification of secondary email first, then disable primary email such that a *Hard failure during delivery is issued during the verification process of the primary email, should reproduce the issue.

My Platform
Platform independent

Additional context
none

[mwalzer]

Also, if this is wanted behaviour, the resulting Warning banner on the account page:

Your primary email address (abc@xyz) is unverified. Verify your email or add a new address.

Should only read "Your primary email address (abc@xyz) is unverified. Verify your email" since no other action is possible.

[di]

I think this is a bug: we should let users who already have 2FA set up manage/modify which email is primary (but still require primary email verification before being able to move forward)

[mwalzer]

👉👈 I must admit I myself am in that situation (and why I came to think about the issue). 😅
But if I'd hazard a guess, that might also lessen the apparent (by number of account recovery issues) burden on the support team. At least I hope that not all suffer from complete loss of their authentication methods.