We can't let a friend have any roles on the recovery process because that creates legal liability on the friend to keep the information (which is medical) secure. In the US, if a friend has access, the friend must be HIPAA trained and compliant. So, instead, what we want is to use the friend's physical security to host encrypted information that only the owner of the account can decrypt.  

 Ah I see. I didn't realize it was that formal. Dang, biometrics is the way, then. Back to square one.