When activating 2FA, it clearly says: you must store the recovery codes safely. If you lose your authentication device and your recovery codes, you will lose access to your account.
That is correct. If you can’t login to your account, you can’t login to your account. For both the first layer of authentication (email/password) and the second layer of authentication (authenticator / recovery codes) we provide a main authentication method and a fallback. If you lose the main method and the fallback, you’ll lose access.
That is correct. The account deactivation button is login protected to prevent authorized changes to accounts.
Whoever created this account added an additional layer of security to their profile by enabling two factor authentication. What kind of security would it be if we just disabled it because someone else came on this forum and said “hey, that’s my account, can you give me access”?
When we implement a security system, we implement it to actually protect things. It’s not window dressing which we disable the second it becomes inconvenient.