[ksk]

>I'd be interested to know what a good process is.

IMHO, A good process would have several tiers, each being more manual, less automated, and more time consuming. The basic tier would be security questions, alternate email, SMS, 2FA, etc. The next tier could be establishing identity and would mean communicating with a real person. You can send a signed affidavit along with a government issued ID and the person would verify it. Then they would have to establish that the account itself belongs a specific person, and that that person is you. This can be done in various ways - billing address, CC info (if applicable to that service), etc, etc. A more real answer would be dependent on the actual service and what information the service captures at signup, etc.

>I don't believe most (if any) online accounts that I have provide enough profit to the service owner to hire and train employees with enough expertise, time, and resources to properly determine a valid recovery attempt from a fake one.

Well, then that is a different argument and I'd agree that it takes time and money to get a good process in place.

But if you think about it your logic can be applied to anything right?? I don't believe most (if any) software companies have enough profit motive to test their software for security bugs or hire people who have expertise in security.

>Social engineering employees just seems so easy from what I've seen. It's so reliable it can be done on stage:

Yeah, that is an example of a bad process.

[Buge]

The cost of hiring security engineers and testing for security bugs is constant with regard to number of users. Whether you have 1000 users or 1 billion users, your service has the same security if you spend the same amount on testing an engineers.

But the cost of human intervention in recovery increases linearly with the number of users.

I agree with your ideas for automation. But human intervention has problems.

One solution for human intervention is to charge a non-refundable fee for recovery. This has the advantage of discouraging attackers from trying to recover. The problem is I think this would cause bad PR for the companies. Now instead of blog posts saying "Google locked me out of my account" there would be blog posts saying "Google is charging me $20 to access my own account" or "Google is holding my account hostage for cash".