Had a panic last night. Tried to login to my Zotero account only to find that there was new 2fa - by email. However, I had not updated my email from the old @martineve.com address. I added the new eve.gd address from a logged-in account. But this shows a weak design pattern...
When a new address is added, confirmation should really go to the OLD address. If you just confirm the new address, you could just be confirming an attacker's controlled email. But it did let me recover my account 馃榾
