Unless you have written backup codes, there should not be a resolution possible. You either remember to changes phone #s before you change them, or you are locked out. Deal with the phone company.
If you're sending me a bill, you need to provide a way for me to resolve an issue such as this. "There is not a resolution possible, we will continue billing you in perpetuity thank you good day" is not acceptable. (It's AWS and they do, so maybe it is, but... try building a new service that isn't AWS with that attitude, and see how far it gets you!)
I kind of see chargeback as a potential resolution for this. If you lost access to your account and can't shut down billing via the normal route, you could still stop payments from your bank or credit card. That is the ultimate source of truth anyway, in regards to payments, so you could "prove" who you are by stopping all continuing payments to the service.
So say I do this, and later my account is sent to collections. Can you think of a worse possible outcome when your phone is dropped in the toilet if you have no scheme for 2FA recovery?
My cloud-hosted business gets shut down, credit score tanks, because of the combination of my butter fingers and your secure authentication scheme! Might as well not employ any CSR drones at all if you're not going to handle this case. Maybe I'm exaggerating, but this is not a great strategy for customer satisfaction or retention.
To the extent that in a dispute situation, who pays the bill =/= whomever holds the keys, my preferred customer service strategy would tend to favor who is paying the bill.
I haven't heard of hosting companies sending anyone to a collection agency. It could happen, sure a but I think it's more likely they just cancel your account and suspend all continued hosting (which, if you believe 2fa should be impossible to circumnavigate, this is probably the ideal outcome). From there you would probably open a new account and start over.
I could see the argument either way on if this is the most optimal solution or not.
Hell no, without 2FA those are the only things protecting my account! Why would I want to post them publicly? That doesn't even make sense.
I do business with 4 banks and have no less than 4 credit cards, and I'm pretty sure that none of them offer proper 2FA with tokens for the online accounts. Now that you mention it, this is a serious question. Why does Comcast get there before any of the major and/or local banks?
I'll admit, if I can protect my Comcast account and as a result, I never have to speak to another one of their Customer Service Reps, it would be a huge victory! This is probably part of their retention strategy, to be fair.
It's telling that there's no mention of on any document, or interface to Comcast's 2FA settings (that I can find anyway) that speaks to how to use it for protecting the set-top box from ordering Pay-Per-View content.
If I turn on 2FA, I'm pretty sure I won't have the option to use it when ordering PPV. It looks like they have a PIN lock instead. Maybe I can disable PPV and protect it with the second factor?
I honestly have no idea why it's even an option. Are swatters gonna log into my Comcast account, upgrade my XFINITY connection to the maximum bandwidth, and sign me up for all of the premium channels?
Or are they hacking my account so they can pay the bill for me :-D
This guy works in customer service. LOL
If you're sending me a bill, you need to provide a way for me to resolve an issue such as this. "There is not a resolution possible, we will continue billing you in perpetuity thank you good day" is not acceptable. (It's AWS and they do, so maybe it is, but... try building a new service that isn't AWS with that attitude, and see how far it gets you!)