I think we should be asking how to design the procedure for when someone calls and claims they forgot everything and lost everything. An attacker can always call in and say this, and we'll need to call in and say this if we've been attacked.
My opinion: we should be able to visit a government office, get our picture and fingerprints matched, and then we can reset our email/password/2fa right there.
My opinion: we should be able to visit a government office, get our picture and fingerprints matched, and then we can reset our email/password/2fa right there.