If you have managed hosting you should be able to ask your managed hosting provider to do this for you, so I don’t see the problem there.
I’m afraid this topic is the formal bug report.
Of course the fix should also include removal of existing backup codes where there is no 2FA method present.
When there is no 2FA configured, the backup codes should IMO be removed from the database to prevent unnecessary “orphaned” data being present.
Although sam is the right person to ask if this bug can be prioritized (not sure if tagging is appreciated though), I suspect an email to team@discourse.org will get your operational problem fixed more quickly.
Other people are reading this topic as well so IMO it did not harm to point everyone in the right direction.
Feel free to send a carefully tested PR and we will evaluate.
Moved @lukastribus discussion to team PM who can triage there.
The solution to this problem was merged - FEATURE: better UI to manage 2fa by lis2 · Pull Request #19338 · discourse/discourse · GitHub
When the last authenticator is deleted, we disable 2fa. User is asked to confirm to avoid disabling 2fa by mistake:
