Provide a second or third way to do 2 factor authentication, which can be used in case the originally set up authentictor app can’t be used anymore (phone broken, lost, app deleted).
Usually systems with 2 factor authentication not only use a single way to authenticate with a code generating app. Instead the user can provide a different email address or a phone number to receive a code for 2fa when the authenticator app can’t be used.
Users are locked out of web.nuki.io when the authenticator app can’t be used anymore.
Dropbox 2FA allows using different ways to authenticate
Totally agree with this. On November 28 2018 2FA simply stopped working for me, wouldn’t accept any code, sent email to Nuki support same day, got a reply on December 11(!) that they need me to confirm my email address so they could deactivate 2FA, i confirmed the same day, got another reply on December 14 that 2FA was deleted. However it was NOT deleted and a few days later it just started working again. Spooky stuff.
Truth be told i didn’t have issues since, maybe it was just a temporary (well, if 2-3 weeks can be called temporary) problem, but if it happened once it could happen again, this is technology, sometimes things break or don’t work as expected, it’s natural, but users should be provided with alternatives exactly for cases like this.