Information Security

Account blocking or password reset code, email in case of account hijacking?

There are 3 options
1 - an anonymous user resets the password to the account by confirming the mail to which the account is linked with the code that comes to the mail
2 - the logged in user updates the password in the account settings, it is necessary to confirm the action with the code from the email
3 - the logged in user updates the email in the settings, ownership is required email box with a code from the same email

As you can see from the flow, everywhere you need to confirm the action with a code in the email. But what if the mail was stolen?
Even if sent to the same email, the boar can simply delete that email and that's it.
And when the user realizes that the account was stolen, he needs to create a separate one for technical support or write to the support email.

The question is, does it make sense to send an email with a link to block an account or a password reset code? Or blocking an account if it is suspected of hijacking?
But then questions arise, but how to determine theft? Obviously, it is not enough to receive an email with the text "I HAVE BEEN STOLEN BY ACC, RETURN THE PAZYA!" from an email that has nothing to do with the accounts. It is worth adding that in the new SMTP it is impossible to find out the sender's IP, so there is a 100% guarantee that the IP of the stolen account matches the sender of the email about the hijacking.
In principle, I think the IP can be faked, replaced somewhere somehow, so even if it shows and says, they say, my IP and the IP from which the acc was created are the same.

Cases with an authenticator on the phone and others, such as two.3, 4-factor authentication with passable biometrics.