The function lookupCoPerson in RecoveryWidget.php includes this comment:

    // Search for a CO Person record that matches $query. Note that both

    // EmailAddress and Identifier implement exact searching only, so we

    // don't need to handle that specially here.

But that isn't true for Identifier. If you examine the search() function for the Identifier model you will find that it uses this SQL (in part):

$args['conditions']['LOWER(Identifier.identifier) LIKE'] = '%' . strtolower($q) . '%';

So for example, if the user types into the search form 'hung1' then the SQL search will be

LOWER(Identifier.identifier) LIKE '%hung1%';

 Now, imagine that hung1 was an Auto-generated Identifier from the family name 'hung' with 1 as a discriminator.

Now imagine you have 50 users with the family name 'hung', and so there are Identifiers hung1, ...., hung 50.

The above SQL is going to find hung1, hung11, hung12,...,hung19.

Then the logic for the function lookupCoPerson is going to throw an InvalidArgumentException because more than one CO Person record is found.