Conceptually, any way that a lawful owner can recover a password (after losing it,) offers some opportunity to a digital intruder to do the same.
Two-factor authentication, such as Google’s Gmail offers, greatly assists in specifying the identity of a login user. Two-factor authentication is properly defined by the descriptor “something you have and something you know.” In Gmail’s implementation, the “something you have” is your phone. The “something you know” is the password phrase.
Having secured an account with two factor authentication, it is procedurally necessary to have some way to compensate a lost phone. This is answered, in the security section, by additional passcodes that are digitally durable, and work independent of the phone.
Securing these is a conceptual weakness in the scheme, but this entry is about email recovery, not exclusively securing access.
The second line of defense, is to specify a second “recovery” email address, where the flagship account may be recovered by over-ride. This email address (probably from another provider) would likewise need two-factor authentication, to be satisfactory.
Secure email account recovery would not be completely answered by having the passcodes to the flagship account secured in a safety deposit box, since a lost (or compromised) password would still block access. Also, no solution that does not require account recovery could be called account recovery. Once the master account is hardened against the loss of one’s phone, the securing of the recovery account should be the next consideration. Under the circumstance that you have lost your ID and phone together with your password, this situation is best answered by holding the passcodes to the recovery account in a safety deposit box, stopping password guesses from compromising the recovery account.
In a final theoretical bid for thoroughness, it must be observed that the security of the backup account is only equal to the security of the safety deposit box. Storing the password phrase for the recovery account separately from its passcodes, introduces the additional measure that more than one person can be required in order to certify access to the recovery account, for arcane implementations.