I am running an instance.
I have got a help requset via an email from a user, who says he/she had setup 2FA then later lost both of the device and the recovery code, wanting us to disable for the account.
Basically I don’t suppose he/she is lying.
But if one can disable 2FA for any account by requesing via email, then IMHO, it is just the security level of the email account that protects the Mastodon account.
So, I’d like to know how an instance admins here will/shoud treat if in this situation. Just ignore him/her, or is there a way that helps?