If you have a valid 2FA authenticator, you should be able to edit your 2FA Device List for any of your authenticators. But to do that, I would still expect the site to re-authenticate the user with one of their 2FA options in order to make the change.
It's not that I can't get back into the account - it's just that I can't delete an old 2FA token that I lost. Because it asks for a code from the token that I'm trying to delete...
I see, that's a bug then. For all intents and purposes, backup codes should be equivalent to a 2FA token. So you should be able to use it when removing the old 2FA.
Well... the security benefit is precisely that nobody can access your account without 2FA. Maybe you wanted to ask "what's the point in having security if usability can become so fragile?".
The point is to give users the secure option and let them decide what to go with, or at least make it clear for the users what the expected behavior is. So far it's obviously not clear. People assume you need that since you need the password to change the password, you need 2FA to change 2FA. I mean that's why you enabled it, to protect all aspects of your account.
On the other hand you should have plenty of options to protect your 2FA: save the seed (QR code), have multiple tokens, save your recovery keys, etc. Not the least of which should also be for the operator to give you a secure reset option.
It's the opposite. I actually lost a 2FA token, got back into the account, added a new one - but I can't delete the old 2FA. You shouldn't ask for 2FA authentication of the same device that I'm deleting....
It'd be nice if they accepted the 2FA code from my other devices, but then it's questionable security; I just managed to log in with 2FA, are you asking me again to confirm my identity in order to delete old device? Ok I guess... but I can already add a new device, you know. And then use it to delete all the others.... are you really giving extra security?
