Even with a multi-sig active authority, transfers can still be done with the owner authority (currently requiring only one sig with the example account).
However, the exact same concept can be applied to the owner authority as well. This has to be done carefully, since a mistake there could render the account unusable and the funds locked.
In looking for an easy way to get my test account usable again, I discovered that a master password reset will automatically change the weight of all that account's native keys to the Threshold weight, presumably including the owner key, though I didn't test for it. I don't know that there's any way to prevent that.
I would presume account recovery behaves similarly.
The account recovery on its own only affects the owner authority, all other authorities are not touched. In the
Request_account_recovery
operation, you can specify how the new authority should look like, including any account_auths, key_auths, weights and the threshold - see for example here. Changing any lower-priviledged keys is then possible from the new owner authority.