I run a SaaS used by teams to collect company-related information (think something like Crashlytics). Even if the tool lets users invite their colleagues, we often find cases of individuals who created an account for their company but they're the only users in the team. We then end up having requests from their colleagues asking to access the account, for example when those people leave the company.
The data collected mostly belongs to the company (not to the individual), so the request often makes sense.
By talking to these people you can often feel they're legitimate colleagues who lost access to their data (like they know some details about what's in the account or their email addresses belong to the same company) but you can never be 100% certain of their good intentions. Allowing an unauthorized user access an account without strict verification would be a massive breach, so for now we deny such requests but that's not a great user experience, of course.
I was thinking maybe a potential way to solve this would be by using some company-related security questions, but I'm also open to other options. Do you happen to have the same problem and have you found a solution? Where can I find some best practices for account recovery procedures?
Thanks!