An email-based password+2FA reset loop is an option. The major motivator for 2FA is preventing replay of captured credentials for your own app, leaving out-of-band authentication permissible. Just hope the user didn't use the same password for your app and their email.
You could also try human-in-the-loop authentication by having the user describe their account contents to customer support. However, that's notorious for allowing account takeovers because people are always the weak point in security.
You could also try human-in-the-loop authentication by having the user describe their account contents to customer support. However, that's notorious for allowing account takeovers because people are always the weak point in security.