A big part of this is the dysfunctional ATO recovery flow. The unscrupulous folk that managed to takeover the account first changed the email and phone number and then added 2FA.
When attempting to do the ATO recovery flow it asks for the 2FA codes... essentially invalidating the entire flow as a recovery mechanism.
Given this what is the proper way to design these?
What I implemented previously was automated recovery via user being able to verify both the original email and original phone number on the account (bypassing whatever 2FA has been enabled). This works but if IG isn't doing that what is the reason why this isn't enough? Is SIM jacking a large enough threat in the case the hacker has already taken over the email?
Netflix asks for payment record information, I think this is a pretty good one and has potential to be automated.