Okay, another important distinction which I suppose I didn't actually mention before — it ought to be much easier to get credentials revoked than to get them issued. A company needs to have two standards of identification — a strong one for allowing you access to your account, and a weak one (i.e. one that you can use even if you don't have a crypto-widget) for allowing you to revoke the first one should it be compromised. But nobody should be under the illusion that this weaker form of authentication cannot be cracked by someone who is "just calling as a prank". For this weak layer, questions about your recent account history would probably be better than personal questions.

So, yeah, you should be able to get a key revoked much more easily than I seem to have otherwise implied. It should simply be understood that this is a wholy different (and lower) order of "proving you're you".