For a business setting, that's a red flag for KYC, but for a B2C app, that's a very legitimate concern. If I were in that position, I'd probably just insist on seeing some proof that I can tie to the payment method, because otherwise how do I know you're John Smith from 123 Residential St, or John "the crook" Smith from the bad side of town? Bank statement, photo ID, etc.
Remember that this process needs to be painful. You already screwed up by losing your 2FA. It sucks, but if it doesn't, then it defeats the point of having that 2FA in the first place.
Photo ID is not used for authenticating that the person lives at the address. That's why voting registration or driver's license requires proof of residency [1]:
> A few examples of acceptable documents to prove California residency are:
> Rental or lease agreement with the signature of the owner/landlord and the tenant/resident
I've never understood why these documents are meaningful in any way. The people at the DMV aren't qualified to judge whether these documents are forgeries, and certainly not in the ~5 seconds they spend looking at them. Anyone with a printer and Microsoft Paint can produce one of these in two minutes.
When I was getting my state ID, I wasn't prepared to have proof of residency, so I ended up downloading a bank statement from my mobile banking app, and presented the corner with my address & name on it to the clerk. I also wouldn't put much trust into the address information on IDs.
For this to be a problem someone would have to lose their 2FA device, and their backup codes, and change their billing address but not the address on their ID. If all that does happen, they can solve it by updating their ID, which most states require within 30 days of moving anyway.
Which is the correct answer, thank you. It does need to be painful otherwise it has no value. but it needs to be fair, for example I moved home a year ago with my now wife. Hireright needed utility bills in my name, but she pays them and I pay the mortgage. This caused a lot of stress. I swear a load of these gatekeepers have never tested or thought about this process.
I'd argue that trumps all other control over the account. If you can show that you control the payment method, then I'll accept you as the legitimate controller of the account.
So, notarized, translated, and apostilled letter from the bank branch manager stating that you are the person in control of the account, sent by certified mail with signature delivery and I'll send you back a link to type in manually the same way.
As a shortcut, I'd say it's mostly safe to accept a picture of someone's face holding up their photo ID with the same billing address.
Or confirming the amount and/or origin (some banks/credit systems do not display the merchant name for some halfbrained reason) of a small transaction (e.g. 1.37 USD from merchant account ACMECORP-294817) that is refunded after a week.
Remember that this process needs to be painful. You already screwed up by losing your 2FA. It sucks, but if it doesn't, then it defeats the point of having that 2FA in the first place.