It’s probably worth faking having lost your 2FA and asking for it to be reset. If you find out they are this careless with 2FA-protected accounts, you should probably not rely on it too much.
I manage an authentication and identity provider and if someone gets locked out of 2FA and can’t prove their identity via a previously-uploaded gpg key, they get locked out for good. I never honor requests to reset the device sent by email, no matter how much they beg or offer to prove identity by sending copies of official IDs - I don’t care who they are now, I care about them being the same person that set up the account and 2FA, which can only be proven via a valid 2FA device or a GPG signature.
> It’s probably worth faking having lost your 2FA and asking for it to be reset.
I'm not sure I trust that I'd be as good an attacker as a professional, and there's not a great way to replicate "hang up, call again" approaches likely to work with a big org.
It could be worth it to spend the 1.50$ on stripe to do identity verification with id documents for accounts of a certain size, so that they can present those documents again to regain access to their account.
Re-enabling the account after a certain period of time without activity would also be a good measure (on top of the id verification).
The whole point of using Stripe for it would be not to have the documents in question. Kind of like you don't hear about companies using stripe losing their customers' card numbers.
I manage an authentication and identity provider and if someone gets locked out of 2FA and can’t prove their identity via a previously-uploaded gpg key, they get locked out for good. I never honor requests to reset the device sent by email, no matter how much they beg or offer to prove identity by sending copies of official IDs - I don’t care who they are now, I care about them being the same person that set up the account and 2FA, which can only be proven via a valid 2FA device or a GPG signature.