You can also ask for a code word (if used). And if the client has a mobile phone, then send a code to the phone.

Payment system, list of services, last activity, micropayment, list of IP addresses from which the client entered (or, as an initial check - a list of providers) - NAT does not save the client from an external IP address, but the likelihood that his neighbor broke, breaks - minimal.
Social profiles with matching information, alternative mail. If this is a game, then the contents of the inventory, recent private messages, and so on.

Perhaps you should ask about the services that he has recently received, or about personal data that only you and he can know.

Alternatively, check the IP address. +1 to the comment above.

If the user made any payment, you can contact him by the internal mail of the payment system.
In general, when registering, ask for other contacts by which you can contact.

If a payment card is linked to the system, you can do what PayPal does when checking the validity of a card: a microwithdrawal from $0.01 to $0.99, the user is required to name the exact amount. Money then, naturally, to return.

Try using KISSmetrics

take a phone number and authorize via sms

Now there is a service that solves the problem of online verification www.PublicVerification.com
I have a modest attitude to its creation