[Klathmon]

This is the one that I like the best if manual human review doesn't work for your use case.

Set a reasonable time period (a month seems like really long, I was thinking more along the lines of a week), use every piece of information you have to attempt to alert the user multiple times that a reset is happening (email, text, in-app alerts, etc...), make sure that each "alert" gives the user a one-click way of stopping the reset, and when the reset is successful, delete all information that is easily replaceable (like saved credit cards or addresses, or as much personal information that you can get rid of).

[nmalaguti]

One of the problems with that is it makes account recovery after a compromise that much harder. If an attacker manages to prevent you from seeing those notifications (compromised email/sms) and you aren’t actively signing in, it’s possible for the month to lapse.

Once the attacker has control and you try to reassert ownership, the attacker gets a loud warning every time you try to login/change the TFA and a month to respond.

[Klathmon]

That's very true, so I guess at the end of the day manual verification is needed for just about everything where you absolutely need a user to be able to recover their account.

A scheme like the above still helps cut down on the number of times that manual verification will have to be used, and hopefully can be made rare enough that you can spend the proper amount of time verifying each one to do your best to prevent "stolen identities" from being used.