[c22]

I ran a small system for awhile where you could designate three other users to act as backup. If you needed to reset your password each of the three backups would receive a unique token and a request that they forward it to you out of band. With all three tokens you could reset your password. This was optional, though, and in addition to a classic email based reset flow. Obviously a solution like this would only really be feasible for a few niche applications.

[dane-pgp]

Could you set a minimum amount of time since last login / visit before recovery was possible? If you are visiting the site every day, and your three "friends" decide to collude to reset your password, the site should refuse to issue the tokens since you are still able to access it.

This gets a little more tricky if you have an unexpired session but want to be able to change your password (which likely requires knowing the existing password), but a request from this logged in session to reset your password should be trustable (unless your "friends" have also stolen your unlocked device).

Similarly, if one or more of your "friends" requests a token / password reset of your acccount, the site should highlight that in a banner on every page you visit, to potentially give you warning to find better friends. (The process for replacing a friend on the site should probably require re-entering your password too, to stop someone that's hijacked your session from picking three sock puppet accounts as your new friends, and resetting your password that way).

[c22]

The community as a whole was pretty tight-knit so we didn't go that far down the security rabbit-hole. The initial proposal, though, only required a single backup and we did increase it to 3 to add a little more defense ;)

Presumably if only one "friend" defects and attempts to reset your account you will be notified by the other two friends sending you unrequested reset tokens out of the blue

3 is kinda an arbitrary number, chosen to strike a balance between security and convenience. It was decided that getting 3 people to collude to erode the trust of the community was harder than intercepting an email so the solution was accepted as adding some additional amount of security.

Honestly a bigger flaw in this scheme is if one or more of your friends is no longer active or has forgotten their own password and cyclically is relying on you for backup. You can hedge against this a bit by adding more backups and requiring only some critical mass of tokens, but this does also increase the attack surface.