Yeah. Because I'm a nerd and basically understand how MFA works and how I should prepare for the day my MFA device goes kaput, I saved my backup codes.
For most people, that's too hard. The elderly, marginally educated people being served by the library or in other contexts just don't understand how things work to the degree that they might appreciate backup codes or their importance. They just don't get it. Backup codes are like this noise in the way of account signup.
Ever tried to get friends and family to start using PGP? A password manager?
The technical solutions that are practical already exist, as you've pointed out; and the technical solutions that seem like they're lacking (enrolling a new device without MFA-ing in) are lacking for a reason--they're security holes. You can't say "this email account is super important and access to it unlocks important things in someone's life" and also "account recovery must be as easy as claiming you lost your phone, and you don't have to know any pre-shared or pre-generated secret".
I also don't know what the solution is. Trusted intermediaries (librarians? social workers? police? social security office people?) introduce all kinds of other attack vectors. Elsewhere folks are pointing out that the mistake was probably to rely on email for all of this super important messaging and your account recovery workflow for every system other than email, but that's a society-wide problem that you probably couldn't have controlled in the first place and definitely can't now.
The best you can probably do is aggressively prompt people to prepare for account recovery prospectively, maybe by identifying a trusted intermediary and/or verifying that they have backup codes.
For most people, that's too hard. The elderly, marginally educated people being served by the library or in other contexts just don't understand how things work to the degree that they might appreciate backup codes or their importance. They just don't get it. Backup codes are like this noise in the way of account signup.
Ever tried to get friends and family to start using PGP? A password manager?
The technical solutions that are practical already exist, as you've pointed out; and the technical solutions that seem like they're lacking (enrolling a new device without MFA-ing in) are lacking for a reason--they're security holes. You can't say "this email account is super important and access to it unlocks important things in someone's life" and also "account recovery must be as easy as claiming you lost your phone, and you don't have to know any pre-shared or pre-generated secret".
I also don't know what the solution is. Trusted intermediaries (librarians? social workers? police? social security office people?) introduce all kinds of other attack vectors. Elsewhere folks are pointing out that the mistake was probably to rely on email for all of this super important messaging and your account recovery workflow for every system other than email, but that's a society-wide problem that you probably couldn't have controlled in the first place and definitely can't now.
The best you can probably do is aggressively prompt people to prepare for account recovery prospectively, maybe by identifying a trusted intermediary and/or verifying that they have backup codes.