The specific implementation and key processes at each KRS may differ, and the user is encouraged to verify this process individually with their chosen solution.
Typically, with a KRS using BitGo's open-source project, the KRS operator first provisions the private key on an offline machine that is never taken online. The key is stored encrypted in one or more parts on that offline machine.
This public part of this private key exported and taken online, to be used with the online service. Every key request from the service involves the derivation of a unique path from the public key, and that derivation path and username (email) is stored in a database. The KRS provider establishes a relationship with the user in this step.
To initiate a recovery, the wallet owner accesses a page hosted on the KRS which helps to locate their funds on the blockchain and build the recovery transaction. The signing operates client-side and uses the wallet owner's user key, to provide a single signature to the transaction. This transaction is then sent to the KRS operator for co-signing.
The KRS operator may verify and implement any security processes at this point, using methods such as email, phone calls, notarized letters, time delays, etc. When they are ready to proceed, the KRS operator brings the half-signed transaction offline to the air-gapped environment, where it can be signed. The fully signed transaction is then brought back to the online environment. Through the entire process, the private key never leaves the offline environment.