

I understand that this is frustrating but it is arguably the right option. If the correct owner can recover the account without TOTP then the TOTP isn’t really protecting the account.
Of course there are various ways to authenticate and it can make sense to have authentication to be (username + password + OTP) OR (email verification) but for a lot of people that email verification is a weaker link. It is more secure to only allow the former.
What I wish is that more sites would document their account recovery procedure. Often times they ask for a phone number for verification or notifications and that silently becomes a backdoor into the account. Even better would be if users can select what authentication combos are supported on a per-account basis (there are a few companies with “lockdown” settings that are a simplified version of this).
Of course it then becomes important to make it clear to the user “if you ever loose you X your account is forever lost”. It shouldn’t be surprise.
Trump doesn’t appear to care much about the law.