Aren't people supposed to be registering a gpg key with their account?
That can be used to do a recovery.
Backup passwords need to be used carefully as they are a potential weak
spot. They are often easier to guess and may be used to provide a way
back in to compromised accounts.