Prompt users to double check their account recovery settings

We would like to empower users to better recover their own accounts, especially when 2FA is enabled. This would allow us to no longer support account recover via the phone, which can lead to social engineering attacks as well as other challenges.

One of the best practices, is to occasionally remind users to validate their account recovery settings. This way if they got a new phone number, but forgot to update their account recovery settings, they may get a chance to update it before becoming locked out.

You can see examples of this with GitHub, Google, and many other popular SaaS services.

Proposal

• Every 3 months, surface a reminder banner:
  • "Please ensure your account's <a href="/profile/account">recovery settings are up to date</a>."
• When the link is clicked or the banner dismissed, surface again in 3 months.