Tell them to auth with one of their single-use codes they got after activating 2FA?
Those are gone too.
Well, crap. Strictly speaking I’d say they’re SOL because otherwise what’s the point of 2FA if you can social engineer your way around it. In practical terms maybe there’s another high confidence authentication that would be satisfactory. Yikes.
Does anyone really save those single-use codes?
I do. I have 2 hard keys and have multiple copies of the codes.
I have seen both. Joyent let me reset, GitHub won’t do it unless you have an ssh key pair associated with the lost account.
Happened to me on http://lobste.rs and happily the admin reset 2FA for me after an email confirmation
This is why SMS continues to be popular despite its flaws. Most services tend to have removal methods involving secondary methods such as SMS or email.
I had to go to a notary with my passport to get an account back. Took a day off work for a few domain names
Sounds reasonable. If issues relating to identification works(possible) in the real life, why make it harder in tech?
I've been told SOL. And while it hurt, isn't that the entire point?