I think it is better we just have 2FA to include the lost password form. If someone has enabled 2FA they have to successfully go through 2FA (be it SMS code, Google Authenticator,, or a recovery code), to do a password reset. If they can't do that, they can talk to an admin about regaining access.
No need to have multiple tangential approaches to security. Best to center around one set of very well implemented concepts.
Just to be clear, this would be a 2FA reset. So they'd have the SMS/Google Authenticator/Recovery code factor COMBINED with the email factor. Instead of the current single factor reset, which is just email.
No need to have multiple tangential approaches to security. Best to center around one set of very well implemented concepts.