Provide a method for 2-factor self-recovery

Use their launchpad GPG key to GPG-encrypt a recovery token to them and send via email?

That could certainly work for Launchpad users. If we were to move key management to SSO then it would cover more users, although it may be complex to setup for less technical users.

Yes, an option to either answer security questions (paypal) or to text or call my mobile with a code (google) would be great.

Dropbox is using Google's Authenticator-App:
https://blog.dropbox.com/index.php/another-layer-of-security-for-your-dropbox-account/
and
https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2

Sending text messages via SMS would work too, but will generate costs on the Ubuntu side. The combination should clearly be password + 2nd independent channel (e.g. phone), e.g. http://www.youtube.com/watch?v=zMabEyrtPRg . Additional security questions can be intercepted as well when accessing U1 from an internet cafe.

A GPG key option would be great, but even within Canonical there are plenty of non-technical folks who don't know how to set that up.

I'd like to see a 'paper' device type in SSO which would work like the recovery token described above (but perhaps with an entire sheet of codes instead of just one).

The SMS option sounds like it should be effective, but wouldn't help if the phone was lost since the user would lose their primary auth device and their backup at the same time. It would still help in other circumstances, though.

GPG is over complex for mortals.

SMS will incur costs, plus many users will be using their smartphone as their authentication device - so a lost device means loss of SMS access. (Plus presumably would only work in a limited range of countries.)

Security questions are a notorious security hole (usually easier to guess than passwords).

Our current plan is to add a "paper device" that produces a list of tokens. We will offer to create this "device" for the user when they add their first authentication device - possibly with a checkbox that defaults to "on" (opt-out).

We can incorporate some kind of warning to the user when they are nearing the end of their list of tokens to prompt them to print off some more.

Adding a "paper device" is issue 911942. This *doesn't* provide "self-recovery" (it relies on action being taken *before* the user is locked out).

I'll close this bug - we have the option of generating paper backup devices and will soon do this on 2FA enablement so it will take deliberate action from people to NOT have a recovery device, and we're implementing measures to periodically check the backup device is current and active to reduce the chance of people generating and then forgetting about their backup codes.

We can NOT email or SMS recovery codes since an email compromise (with which an attacker can request a password reset) is precisely the thing 2FA is designed to protect against, and SMS is subject to phone number hijacking.