An attacker disabling and then promptly re-enabling 2FA (thus locking me out of my own account) is a different problem altogether.