Shout out here to NearlyFreeSpeech who do this right. They give you a set of verification actions:

    You provide a scanned copy of a government-issued photo ID.
    You provide a scanned copy of a statement showing both the most recent deposit and a name and address matching one of your accounts.
    You complete SMS verification. (SMS must be previously configured.)
    You complete 2-factor verification. (2-factor auth must be previously configured.)
    You correctly answer your security question. (Security question and answer must be previously configured, below.)
    You use an ssh key to create a file with a specific name on one of your sites hosted here. (Must be previously configured, won’t work if account is empty.)
    We try and fail to contact you via your currently configured email address. (This one may take a long time.)

You can then pick how many of these you want to require to get your account back (and which you want to configure), including an option not to help at all in the case you lose your account.

Nah. Them having a set of your scanned docs just means that if something like what happened to OPM happens, the attacker now conveniently have scanned copies of your docs.

So yeah, bad idea.

> have a token mailed to your physical address on file

This is the worst for the customer point of view. Takes a long time.

It on average 24h or less, considering that mail through DHL is next-morning delivery everywhere, and same-day delivery in larger cities.

This may come as a shock to you but some people live outside the United States.

I’m in Germany, actually.