Worked support for a major tax software company in recent weeks and my particular specialty focused on people who had login issues.
We generally authenticated by email address or phone number. If someone was locked out and still has access to the email address OR their phone, no problem. I could easily push a reset, after validating other info to ensure it was actually their account.
But if they had changed emails and no longer had access to the email address, or changed phone numbers, the process was MUCH more complicated. These people had to submit photo ID and other fun things to our team. Which is not what you want to tell them when they have ~1 hour to submit their taxes.
One person who called had a family of people who swapped around emails all the time to dodge spam AND they had all changed phone numbers for some reason or other. There was no workable way for me to authenticate them.
Long ago I bought a domain name and use that for my email. My phone authentication goes to an online account and the SMS gets forwarded to whatever my real phone number happens to be.