I'm saying that if you have the password and the email address, bypassing 2FA would not be unreasonable, and it's what most services end up doing (for better or worse). Recovery codes are the ideal, of course.
But yeah, this is also why every new Android/iOS device can act as a FIDO2 token - the more tokens people have, the easier it is to recover with a second token vs having to fall back to less safe methods.
But yeah, this is also why every new Android/iOS device can act as a FIDO2 token - the more tokens people have, the easier it is to recover with a second token vs having to fall back to less safe methods.