As long as they can get into the email, they can eventually get into everything else. If there are second factors in the way, I have backup codes printed out and stored in a safe location that they will be able to access. And this only matters if the official facilities, e.g.: Apple Legacy Contact, don't pan out.