The problem with you calling them is that is possible to social engineer some phone companies to put a forward on the phone line (as a bonus it doesn't prevent outbound calls). USPS mail forwarding is easy to setup online if the attacker has their credit card number. Calls should be made regardless so if the attacker couldn't do this, they can be alerted to the fact that someone is trying to spoof them.<p>If the fee that you charged was a random amount under $100, then you can use that as part of the auth key process. In addition, one should also overnight the rest of the password via UPS or other method where forwarding is forbidden so an attacker cannot have the token sent to them. You can recover the costs of mailing via the random fee.<p>It all boils down to there are very few methods right now for securely getting a hold of someone when they have forgotten passwords or have a broken/lost 2factor device.