[kristopolous]

It should be web of trust.

You add let's say, up to 3 peoples names and mobile numbers for recovery and then they are contacted requesting to reach out to you to authenticate.

Something like

"You've been added to X's web of trust for account recovery at example.com. If X needs to recover their account, we may ask you to confirm with them that it's genuine."

Then something like

"X is trying to recover their account for example.com. Please contact them within the next Y days to confirm it's genuine and if it is, respond with the the 4 digit recovery code X gives you"

Then from x's side:

"Your web of trust has been contacted. Feel free to contact them now and give them the pin YYYY so they can confirm this is genuine"

This approach pretty elegantly addresses a number of security question limitations and existing 2FA infrastructures shouldn't be that hard to modify in order to implement it.

Probably my favorite feature of this approach is it requires the various security code social manipulation scams to be successful against 2 people instead of 1 which is rather statistically unfavorable for the scammer.

[lotsoweiners]

A lot of people don’t want their trusted web to know what websites they are looking at? Think Grinder/other dating sites, financial/crypto, pornhub, certain message boards etc.

[kristopolous]

Well don't use it for porno sites then or just give different personal email addresses for your web.

Also there's a 100+ year old workaround for that which used to be used in the postal service so people didn't have boxes on their doorstep with giant labels on it reading things like "Dildos Direct": Either leave the company name off or use some alias.

Including the company name is really just a user interface flourish to dealienate the feature