The strangest/scariest and honestly in the end all that surprising one of these I had was with a major storage appliance provider that most in the space on HN would know by name.

We needed to delete a storage volume to urgently free up space, and apparently this was locked in a way the storage vendor was required to act as a "second key" to ours to make the destructive action. We had never properly set this up, and I never had even logged into my "support" account with them before. They required two authorized contacts on our end for them to confirm the action.

The process was effectively my colleague handling the sev1 incident asking me to join their Zoom call. They asked for my 2FA and I said I never had one configured and obviously did not receive it since my e-mail was not setup with them. The (obviously outsourced) support rep decided just pasting the code into Zoom chat and then having me read it back to them was Good Enough(tm) and the process continued.

I was a little too surprised at this at the time to think about it too much. But the fact they could see the expected generated code, and type it in themselves into their system was at least interesting to me. Not quite sure how I feel about it, since this did indeed save us from a sev1 going sev0 - but overall it's obviously quite vulnerable to both social engineering and insider attack.

It's certainly a difficult tradeoff. Not sure I would hand that sort of "override" capability to someone who was was clearly a Tier 1 or 2 support rep - I'd probably bury it (but in a different manner) somewhere that required escalation to a higher authority but still could be done in timely (minutes, not hours) manner. Who knows though, as organizations scale this gets harder and harder.