Once #2239973: Deploy two-factor-authentication on drupal.org → is deployed. We will need a policy for removing tfa if a user gets locked out.
For accounts that have certain roles, I feel this should required a trusted user to confirm that the other user is who they say they are. This would be via phone call etc.
This issue is to track the communities ideas around this.
Fixed
User account
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.