Make TOTP auditing available in the reports. I recently had a support call because the TOTP for one of our business-critical sites went missing and the application provides zero traceability in order for me to know whether this was caused by another user who intentionally or accidentally clicked on "delete" (which by the way is really poor design to place the "delete" action right above the eye). Disabling MFA/TOTP should be way harder and require either credential owner approval or admin approval.
As a result of this TOTP going missing (and it seems that you're also unable to audit this at the moment), I've spent half of last week and this entire day trying to recover our name.com credentials. 💀 So yeah, pretty bad.