You could provide a delay feature… if you request this sort of reset, it takes 3 days, and emails are sent to the primary address every day with the count down. If your email isn’t lost, you would see these warnings.
You could let an account holder designate emergency contacts (other accounts) that are allowed to request a reset if you lose your primary email (again with a time delay to allow you to block malicious takeover attempts).
Recovery keys, security questions, real life identity proof, etc, are all other possible options, too.
The delay is quite a bother but it's surely better than account takeover. What I mind about the process is probably the lack of transparency - what combination of factors (MFA pieces, location, inactive time, ...) launches which process? I get that transparency might help attackers here but they're the ones to have the persistence to figure out the rules anyway. Smells like security through obscurity to me.
Having 1 or 2 backup email accounts and/or an SMS sent to a registered mobile phone number seems to me to be relatively simple to implement
Along with a built-in delay, the inconvenience of having to wait is way better than losing access to critical accounts
If you recover a microsoft account / submit a ticket to recover it and provide correct information, the active email gets an email letting them know about the request
You can deny it, or if you ignore it for 30 days the request goes through
Seems to be the best system IMO
The fun part is that you can't disable OneDrive. No matter how many times I turn it off it always keeps turning OneDrive back on to put my private data in the cloud for the attackers. Of course I can't block the methods that are obviously under attack either.
And the lack of a login history view means I have no way to know if they were successful yet. Support has never been good (for legitimate users) and is basically non-existent with AI now.
I would recommend you look at some other guides before you do this but the gist is My Account > Your Account > Manage Account Information. Then you can add a new email that you do not share as your primary login email, and disable login from the email you use to send emails.
However, I can use any of them to initiate a login attempt. I have my account set to passwordless, I don't know if that is relevant (every login attempt triggers an MFA prompt).
If I click on "Edit account info" I am taken to a page where I can choose which address in the "Primary", but given that ANY of the aliases can be used to intiate a sign-in, I don't see any benefit in changing that.
EDIT: I wasn't being adventurous enough. The option to change which aliases can be used to sign in is under (surprisingly) "Sign-in preferences".
In my defence, that page wasn't loading properly in Firefox with all my privacy add-ons enabled. I was able to access it in Edge.
EDIT2: I've changed my primary alias to a newly created one. If I am still able to sign in OK in a couple of days, I will disable the old primary for sign-in. I hope I don't live to regret this!
Would show any logins or security info updates etc
So there is no way to flag them as malicious and if you accidentally accept, then it’s already too late.
Pretty annoying setup.
That's a good measure, but it would fail for the attack scenario in TFA: the attacker claims their account was hacked, so presumably (if the support AI "believes" them) the notification email is compromised. If the account was hacked, you cannot let the one receiving the notification cancel your recovery attempt, which they will of course try to do. Of course in this exploit it's all a lie, but what if your account truly was hacked and your were genuinely trying to recover it?
Now I want to log in with the correct password, because it's been such a long time, it locks me out unless I give it 2 security answers. I've tried to reset it by email, it still locks me out on next login and asks for 1 security answer, I can't find any answer, I have no clue if it's case-sensitive and details like that. I went to an Apple store, they told me to contact the support, I have contacted the support, they can't do anything. Maybe my last hope is GDPR since I'm in the EU, have the account deleted.
I try to only depend on services which have this property. I don't succeed.
This comes back to haunt you in the future.
I'm not sure what alternative you are proposing. This only gets much, much worse when the aging person is trying to use a password...
Or you get elected to high office and consequently getting to the branch is a bit ... faffy[0]
[0] https://chicago.suntimes.com/pope-leo-xiv/2026/05/06/pope-le...
So humble that he was able to change his information over the phone by threatening directly to the president of the bank that he'd use a different bank if they didn't let him, and the president bent over backwards to meet this demand. He's just like us!
There's a whole wide age and knowledge/competence where older people can still fall for scams (or can't know if it's legit or a scam) but on the other hand are still capable to go to whatever office/bank they need to go.
Every time someone calls to say there's a problem with your account, you ask for their name and/or extension number, because recontacting through the institution is your only good way of verifying their identity.
I've encountered banks that don't have that setup — hilariously one bank felt the need to cold call me about my complaint about cold calling from unverifiable numbers. When I asked how I could call them on a verifiable number, they claimed I couldn't. :/
If some malware is that deep on the phone, able to redirect calls, then you've got much bigger problems and the attacker might not even need to trick any cooperation at all.
My wife is trying to sort something with a famous Irish airline who are well known for messing people around. She has LPA/POA for her mother but rather than the airline accepting the VCode (this is the UK) the airline are requesting to see the original POA certificate which is just ridiculous. They seem to be moving a little quicker now there is solicitor involved.
Given how much back and forth there has been it's probably cost the airline more than just refunding the amount at the first request. We'll keep going to prove a point.
Using the door and fire scenario, you can have manual opening method available, just make it only available on the inside.
I get that this also is technically a 2FA bypass but the cost is extreme and its really hard to impersonate someone in real life.
If it's not feasible, I can see an argument that large enough companies should be required to provide in person support options.
Facebook defintely has enough money to facilitate this.
The question is how much effort and authority is required to gain access through alternative means, not whether it's possible.
It's always a question of how much, insofar as kidnapping Mark Zuckerberg or winning an order from a Federal Judge are two of the possible scenarios.
Fail safe noisily and implement a cooldown period.
It would mean that someone can't gank an account from under you while you're using it, but you could recover it after a week if you lose access to your email.