currently users who forgot their password cannot recover account access if they are using a new or cache cleaned device. They need contact their admin.

I suggest this should not be necessary if the user account has already a working 2FA\authenticator app.

Please allow user recover the account via authenticator verification