After using the trydiscord domain and then configuring the real custom domain to use, 2fa breaks. I believe fido2 associates domains with the key.
Also another admin can’t disable the key, it becomes “invalid parameters” (same as Can't turn off 2 factor). Trying to migrate again to the same custom domain will also be denied because “Hostname already exists.”.
My account is then bricked, please advice
maybe you could try this:
this is the managed discourse paid plan migration. So I’m afraid I don’t think I have that low level access
I’m afraid there is no permanent solution available at this time but you can contact the Discourse support email mentioned in your discourse admin area, they may be able to disable 2fa for all users.
I think so too. If you don’t have backup keys you’ll need to contact support.
It was solved by support by removing the security keys on my account. Don’t change domain name while having 2fa 
This should be a kind of common issue as you would change the domain when wanting to upgrade from discourse trial.
Oh and don’t loose access to your e-mail as that’s when you can request to remove security keys 
FWIW, you can use the backup keys. I’ve done this on staging sites where they have 2fa turned on and the production database gets restored to the staging site with its own domain name.
@balboah quick update, we have this assigned internally and will come up with some better process for moving from “trydiscourse.com” domain to real domain that accounts for this issue.
Yeah I might have not paid attention. But I did add 2 keys as a backup and assumed other admins could recover my account.
This was the physical key flow, not authenticator code
Did you already find a solution for this?
I am pretty sure our internal processes account for this today, we reset various settings and so on.
Hi. I’m facing this same conundrum for a self-hosted forum that’s changing domains.
Anything in particular that I should consider?
See Jay’s reply in this topic: 2fa security key breaks when migrating to custom domain - #7 by pfaffman
It would be nice if there was a better process, though. Using backup keys for a large amount of users will boil down to a large support burden.
So there’s a way to change the 2fa records to match the new domain? Ooh, that sounds like one more way to make a restore more complicated!
But if that’s the case, it would be nice to be able to do that on staging sites that restore a production database periodically. I can try to have a look at that in a week or two, either in a plugin or a PR.