[arama471]

Put a timer on the reset - Allow them to start the reset process, but make it so it takes a while (At least a few days), and during that time make sure any successfully logged in person on that account sees large warnings that someone is resetting their 2FA. This ensures that whoever actually owns the account can react in time to stop a takeover, at the cost of making the reset process kindda painful.

[SlowRobotAhead]

Counter that if I’m a hacker, I’ll already have knowledge of this and try and time my attack when my target is unlikely to log in, but I suppose we’re getting into weeds with that.

[bad_user]

If you’re doing that in July or August, or between Christmas and New Year’s Eve, there’s a high probability that the target is offline.

[lisper]

There is no staying out of the weeds when it comes to security. The weeds are where the threats hide.

[SlowRobotAhead]

We all better get a cabin in the wood then ;)

[ceejayoz]

Authy does this - 24 hours during which there are repeated texts, emails, etc. to the addresses they have on file with dire warnings.

Still vulnerable to a "I know this user is on vacation for a week" attacks, but it's fairly effective.