The recovery user flow, at the end of the day, should provide an option for identity proofing through a service that can consume a government provided identity credential. Login.gov, Stripe Identity, ID.me, whatever, something that can attest that you are you when provided a sanctioned credential.
You should be given the option to opt out of this, have your data E2E encrypted, and if you lose your creds your data loss is on you. But for everyone else, they can then provide ID and get their digital identity and data back (at a very low cost to the service provider, proofing is usually $1-2/request in bulk; if you want to charge the user that cost, that’s palatable).
(corp|customer identity governance and proofing is a component of my work at a fintech)
1b) Offer non-electronic second factors such as paper codes
2) Offer a broad range of options in general, not just phone or even worse only SMS. I can count the services that I can use my Yubikeys with on one hand
3) Be predictable (or at least be configurable like that) by the user and not behave different on weird conditions such as your IP
4) Allow to configure more than just 2 factors. 2 factors are really bad. It should usually be 1 or 3+.
5) It should educate properly about how to use it and also about the risks (e.g. increased change of losing access, especially when certain factors are used)
I think that when identity proofing actually becomes important, we should fully leave private services. That is something too important, so the state should either standardize and enforce it or offer it. Maybe, offering a wide-scale MFA / Auth solution should come with similar restrictions that we have for finance, including the identity proofing fallback your mentioned.
You should be given the option to opt out of this, have your data E2E encrypted, and if you lose your creds your data loss is on you. But for everyone else, they can then provide ID and get their digital identity and data back (at a very low cost to the service provider, proofing is usually $1-2/request in bulk; if you want to charge the user that cost, that’s palatable).
(corp|customer identity governance and proofing is a component of my work at a fintech)
https://media.fidoalliance.org/wp-content/uploads/2019/02/FI... ("Recommended Account Recovery Practices for FIDO Relying Parties", Page 3)
https://doi.org/10.6028/NIST.SP.800-63a NIST SP 800-63A Enrollment and Identity Proofing