This would go for any community login, but for Affiliates they are actually getting payouts so this is quite a security issue.

All Affiliates, and community members, are simple contacts , not users.

So their login email can be changed with any new form or survey submitted, with no OTP verification, and anyone who knows their phone number can do it.

You can actually use the affiliates own referral link, enter their phone number, your own email, and change the login email for his portal. You do not even need his password because you can login with secure code, sent to the email you changed.

Changing all community members/ Affiliates to users may not be the best option, but if we could just lock the email and phone number of a contact that would solve this issue.

Have it auto lock any community members and affiliates. Maybe OTP options down the road for contacts.