I wonder whether it would make sense to force companies by law to provide proper support, given how much actual money (I know quite a number of people with four-digit-worth Steam accounts) is bound in such accounts, or how central these accounts can be for our modern lives (imagine all the identities tied to your gmail or fb or twitter accounts - and permanently losing them due to trolls "reporting" your accounts).
As for bypassing 2FA: there is, at least in Germany, a way for any online company to have the real identity of the user proven. It's called "PostIdent" and works by having you go with your ID card to a post office where it is checked. It's acceptable enough even for the strict regulatory frameworks for banks.
So the process could work like "okay, you are John Doe, and you want to re-establish control over your account with the ID 123456 by changing the primary email to john.doe@provider.com? Print out this voucher, pass PostIdent and we will modify your account".
As for bypassing 2FA: there is, at least in Germany, a way for any online company to have the real identity of the user proven. It's called "PostIdent" and works by having you go with your ID card to a post office where it is checked. It's acceptable enough even for the strict regulatory frameworks for banks.
So the process could work like "okay, you are John Doe, and you want to re-establish control over your account with the ID 123456 by changing the primary email to john.doe@provider.com? Print out this voucher, pass PostIdent and we will modify your account".