SOLUTION: As admin user, visit the locked-out user’s details page, scroll right to the bottom and click the red Impersonate button.
Then in the user preferences, add a 2FA method. (need to have the user’s password to do this)
The 2FA secret has to be given to the locked-out user.
In this case I am both users, so not a difficult task 
1 Like