a) Two Factor should be mandatory and as soon as it is, any representative of the company MUST insist that a reset cannot be done over the phone. It should be highly suspicious if someone comes up and says "Hi, I lost my email account access AND my phone so could you please reset my password via phone now?"
b) If not Two Factor, the security questions should also be mandatory. No other "data" like past addresses or cc numbers should suffice to reset over the phone if the person doesn't know the answers to all security questions.
And, speaking of these questions, of course they should be stuff that you know and cannot be "guessed" by anyone who is able to read your facebook page or similar. Maybe even some non nonsensical thing like "Favorite Food" - "Horse Droppings". As long as you remember this, nobody should be able to "hack" that over the phone. Even if you go on and on on facebook about how you "could eat your way through a giant bowl of pasta you love it so much"
a) Two Factor should be mandatory and as soon as it is, any representative of the company MUST insist that a reset cannot be done over the phone. It should be highly suspicious if someone comes up and says "Hi, I lost my email account access AND my phone so could you please reset my password via phone now?"
b) If not Two Factor, the security questions should also be mandatory. No other "data" like past addresses or cc numbers should suffice to reset over the phone if the person doesn't know the answers to all security questions.
And, speaking of these questions, of course they should be stuff that you know and cannot be "guessed" by anyone who is able to read your facebook page or similar. Maybe even some non nonsensical thing like "Favorite Food" - "Horse Droppings". As long as you remember this, nobody should be able to "hack" that over the phone. Even if you go on and on on facebook about how you "could eat your way through a giant bowl of pasta you love it so much"