[shadowgovt]

If the library is holding even a piece of users' credentials, they become liable for either intentional or unintentional harm. On the unintentional side: their 2FA back-stop solution could be compromised or stolen by a third-party because they failed to secure it (they'll be a smaller target... Crooks will get very little from stealing access to a small population of older folks over what they'd get for, say, finding a reliable way to compromise any Gmail user's access... But they'll be a target). On the intentional side: they now have to move the bar on vetting whoever staffs the project from "trusted enough to be a librarian" to "trusted enough to be a keeper of passwords or reset emails..." Which, TBH, may be a lateral move, since librarians know what books we read. ;)

But the insider attack situation here is nasty... A corrupt individual in the loop could trivially trigger a password-reset attempt, use the fact they have control over the user's 2FA (or recovery email) to steal the user's credentials, act on behalf of the user for a bit (reroute benefits to some other address?), and then just wait for the user to discover their password is locked out and kindly help them correct it.