> The tricky part though with any scaled service is that for every legitimate case like this, there are many more bad actors trying to hijack accounts through exactly this mechanism

I really wish more people understood this, especially on HN.

Account recovery flows are flooded with people trying to break into other people's accounts. It's going to be nearly impossible to make a system that can allow someone to recovery their account without also accidentally allowing someone to social engineering their way into someone else's account.