the <30 day old owner key was actually required by base layer consensus to perform recovery.
Yes, you need a password or private owner key that was valid less than 30 days ago to confirm the request_account_recovery initiated bu the trustee.
Can't you generate the memo key with the owner key?
No, you need the password to regenerate keys
I'm still not understanding how the recovery account is unable to steal the account.
- you never provide any password or private key to the recovery account
- you have to confirm the recovery request initiated by the recovery account.
- if the recovery account is malicious and is colluding with an attacker that has stolen your private owner key then it is possible for them to gain full control of your account, i.e. to change the account password.
One more reason to carefully choose your recovery account.