[7952]

Why not send a reset code to the registered address or phone number? Or they could pay some money into the registered bank account with a special code that would only be visible on a bank statement (like Paypal).

[danielweber]

People move physically and change their phone numbers, too.

You don't have a bad idea, you just need to consider all the effects.

[7952]

It is not like you have a perfectly verified identity in the first place. There are no photos or biometrics that could uniquely identify the person in the absence of the things like address or phone. Most websites do not verify identity but the provenance of the user (is it the same person?). Establishing actual identity is just more difficult and mostly unnecessary.

[danielweber]

For my personal domain, yes, that's overkill.

For the places where it's really necessary, like fastmail, they should have physical photos of all the principals on hand.

It's expensive, but it's also an extremely precious resource they need to guard at all times.