Thanks for taking time out of your busy day of rapid-firing broken-ass untested updates to answer my questions. I've tried to sum up your answers in a Q&A format with citations. Correct me if I'm wrong on any of these.
>The solution to both problems is to implement the safest solution first and let people use that while the other options are developed
Q: What will be done about users who don't have access to their old E-mail
A: Something
Q: When will this undefined solution be implemented
A: At some point
>Sure, but that sounds like a job for steam support or the police, not Badspot.
Q: Why steam
A: So in case anyone finds another RCE exploit in my game, which is not unlikely since I disabled protections against it due to an issue I don't feel like debugging, them stealing peoples accounts won't be my problem anymore.
Maybe I'm missing something here, but it seems to me like if you wanted an easy solution that didn't involve breaking the game for a week, you could have just allowed people to request new keys via e-mail, and used the same protections for that as I'm sure you plan to use for switching to steam.
This would have achieved the same effect as the steam-only solution, also allowed you to step away and let the e-mail host handle stolen accounts, and not required a total overhaul of the auth system. It would have also meant people could play the game without having steam constantly running and taking up half a gigabyte of memory, but I know you don't give a stuff about that.
Instead of spending weeks implementing an overly difficult solution to a nonexistent problem, you could be trying to get CFG working, and working toward preventing this from ever happening again, whether on your watch or someone else's.
Q: Why are you inconveniencing users for little benefit by disabling name changing
A:
No quote to show here because you didn't address this.