For example, when traditionally a low risk action would be validated with a single email confirmation, a high risk action (change password, add passkey) will require two different email confirmation with two different email domains, and plus, a user can add N email addresses (trusted contacts) and a min M of these email addresses can help approve a change of email.
This is not very much different from what @safe achieves already using smart contract, but is massively backward compatible with emails
This will massively reduce the chance of social engineering.