A flow can either fail safe or fail secure.
Fail secure: if you lose your email, your account is forever locked.
Fail safe: if you lose your email, your account is not forever locked. But, someone else might be able to get your account by pretending you lost your email.
There are no other choices.
When the electronic door controller loses power, either the door stays locked, or the door stays unlocked. In case of a fire you want it unlocked so people can get out. But then a burglar can cut the power to get in. Doors that stay permanently locked in a power outage are only permitted in extreme cases where security is of the utmost importance. Obviously Instagram accounts aren't as important as doors in a fire.
There are a lot of other ways they could do it.
You could provide a delay feature… if you request this sort of reset, it takes 3 days, and emails are sent to the primary address every day with the count down. If your email isn’t lost, you would see these warnings.
You could let an account holder designate emergency contacts (other accounts) that are allowed to request a reset if you lose your primary email (again with a time delay to allow you to block malicious takeover attempts).
Recovery keys, security questions, real life identity proof, etc, are all other possible options, too.
This is actually what microsoft does for microsoft accounts
If you recover a microsoft account / submit a ticket to recover it and provide correct information, the active email gets an email letting them know about the request
You can deny it, or if you ignore it for 30 days the request goes through
Seems to be the best system IMO
Someone has been trying to hack into my MSFT account for years. I constantly get the notifications. I can not see where they are trying from (unlike some other services that give you info about failed login attempts) nor add more security measures. I worry one day I will accidentally hit "Approve" or they will guess the 6 digit code they have tried thousands of times.
The fun part is that you can't disable OneDrive. No matter how many times I turn it off it always keeps turning OneDrive back on to put my private data in the cloud for the attackers. Of course I can't block the methods that are obviously under attack either.
And the lack of a login history view means I have no way to know if they were successful yet. Support has never been good (for legitimate users) and is basically non-existent with AI now.
You can view the recent activity on your Microsoft account @ account(dot)live(dot)com/Activity
Would show any logins or security info updates etc
Those login attempts which trigger 2fa app does not generate a log entry if unsuccessful. Only attempts with username/password does. For some strange reason.
So there is no way to flag them as malicious and if you accidentally accept, then it’s already too late.
Pretty annoying setup.
1. Provide a delay of a week. 2. Notify via all addresses on file. 3. Make an admin post (by the account in question) explaining that a 2FA override has been requested. Something you and all your followers can see.
Apple does this.
There are definitely more shades of grey. On my iPhone I can select a close contact to be able to overturn my protection but this contact needs to have security features turned on, too. So Apple staff cannot do it, only a non publicly known person that has 2FA and encryption themselves. Add time delays, notifications, identity checks and more to it and you can make this process reasonably secure while still ensuring recovery.
There are no other online choices. If my Bank login goes totally Kaput, though, I can take my ID down to the Branch to get it sorted. Same with my telecom provider.
I try to only depend on services which have this property. I don't succeed.
Sounds great until you have an aging parent with a problem who can't get there. Get a power of attorney you say.. great but they won't accept unless parent comes to the branch.
This comes back to haunt you in the future.
I've done this. I'm very surprised that, in your case, the POA was not sufficient to get your business done.
I'm not sure what alternative you are proposing. This only gets much, much worse when the aging person is trying to use a password...
> until you have an aging parent with a problem who can't get there
Or you get elected to high office and consequently getting to the branch is a bit ... faffy[0]
[0] https://chicago.suntimes.com/pope-leo-xiv/2026/05/06/pope-le...
> McCarthy, an Augustinian friar from the South Side who has known Pope Leo for 43 years, told the story as a reminder to parishioners that the pope “is like us,” and “a very humble guy.”
So humble that he was able to change his information over the phone by threatening directly to the president of the bank that he'd use a different bank if they didn't let him, and the president bent over backwards to meet this demand. He's just like us!
This is still less problematic than an attacker getting in and draining the funds.
That's a strange one. I had to use POA for my mother in law last summer and it was straight forward.
On the other hand, the best anti-scam feature for older relatives is to tell them to "go there in person". Get a call from the bank, they simply tell them "ok, I'm coming to the bank tomorrow, in person", and they're done. Scam call? Legit call? Doesn't matter, they'll sort it out at the bank.
There's a whole wide age and knowledge/competence where older people can still fall for scams (or can't know if it's legit or a scam) but on the other hand are still capable to go to whatever office/bank they need to go.
Probably not news to anyone here, but partial step in this direction is to put down vetted official contact details for the institutions.
Every time someone calls to say there's a problem with your account, you ask for their name and/or extension number, because recontacting through the institution is your only good way of verifying their identity.
That works when the system is setup to allow that.
I've encountered banks that don't have that setup — hilariously one bank felt the need to cold call me about my complaint about cold calling from unverifiable numbers. When I asked how I could call them on a verifiable number, they claimed I couldn't. :/
Malware on your phone can reroute your calls to the attacker. So you think you're calling the official number at the correct institution, but you're actually talking to the attacker.
Well, yeah, and knowing first-aid is worthless if someone's been decapitated. :p
If some malware is that deep on the phone, able to redirect calls, then you've got much bigger problems and the attacker might not even need to trick any cooperation at all.
Seems like a business opportunity. Face to face authentication in every major city that can authenticate people when needed.
This is actually one of the more useful services those horrible check-cashing storefronts provide.
Take it to the branch? Like in the 90s? What?
I don't think its that binary.
Using the door and fire scenario, you can have manual opening method available, just make it only available on the inside.
I'm probably out of date, but Google's advanced protection at one point did account recovery via postcard to your home address. High latency but pretty good as a fallback.
Postcards are the least secure form of mail. I would hope it uses a security envelope at least.
There are many good options. [1]
[1] https://news.ycombinator.com/item?id=48321089
What about "go see an agent in person and use your fingerprint to prove it is you"?
Of course it's not binary, any more than there are two choices between "cheap" and "expensive"
The question is how much effort and authority is required to gain access through alternative means, not whether it's possible.
It's always a question of how much, insofar as kidnapping Mark Zuckerberg or winning an order from a Federal Judge are two of the possible scenarios.