[raesene9]

Often the problem with MFA setups is, what's the fallback mechanism for when the user loses their password+MFA token, none of the options are perfect.

1) Permanently lock them out of their account. Not a good customer experience and problematic in this setup (orphaned libraries)

2) Written "back-up codes", fine in theory but I'd guess a decent proportion of them are not well managed

3) Fall-back to manual verification (e.g. phone call establishing secondary information). Expensive and error prone.