Protect Sensitive Attributes
If you configure user self-service, you must ensure that the user's email address and phone number cannot be changed without re-authentication. If you do not do this, an attacker that gains access to a user's session can change the user's email address and perform a password reset to gain full access to their account.
To protect sensitive self-service attributes globally, select Configure > Services > Global Services > User Self Service > Profile Management and add
To protect sensitive self-service attributes at the realm level, select Realms > _Realm name_ > Services > User Self Service > Profile Management and add
For more information, see "Profile Management"