Not a single one as I'm aware of. Simply:
~Security Question
~Recovery Email
They got a little better, since the new dashboard update they've implemented a few security features on their website/dashboard.
~Must sign into account at least once on the Xbox in order to recover it. (You can set it to auto-sign in though. This is what killed Non-JTAG.)
~On their website you have the option to make it so you basically "corrupt" your profile on all consoles your account is on. Prompting a recover.
~In the Xbox Account Management they made it so you can prompt all consoles besides the one you're on now to have to enter a password every time they want to use it.
In collaboration with the new Dashboard. (Which allows you to have your console on multiple consoles, without have to recover them to use them.) So of these features are pretty nice. If someone recovered your profile, you could make it so they have to sign in with your password everytime. (Of course they would have changed it, so useless.) Same goes for the corrupt profile option, to gain access to it you'd have to sign into your account on the Xbox Live website. Which you can't do with a changed password.
Yes, $100's. I think in the Marketplace it's $99.99, but I'm not sure if they tax it or not.
