[mschuster91]

You can't login without the second factor and only the password because that is literally the entire point of having a second factor.

You should not be able to reset a 2FA token purely by having access to the target's email (or SMS) account in a halfway decent system.

Your only hope will be the recovery codes but well, how many people actually read the fine print on these?

[staticassertion]

I'm saying that if you have the password and the email address, bypassing 2FA would not be unreasonable, and it's what most services end up doing (for better or worse). Recovery codes are the ideal, of course.

But yeah, this is also why every new Android/iOS device can act as a FIDO2 token - the more tokens people have, the easier it is to recover with a second token vs having to fall back to less safe methods.