Today I looked at it again and found that:
[25] pry(main)> how.totp_enabled?
=> false
[26] pry(main)> how.backup_codes_enabled?
=> true
[27] pry(main)> how.totp_or_backup_codes_enabled?
=> true
So I tried to remove the backup codes as well, following the response above from @falco:
UserSecondFactor.backup_codes.where(user_id: id).each(&:destroy!)
Now here is the complete solution to disable OTP for a user when they lost their ways back in: you must remove both the totps entries and the backup_codes as well, so that the call to #totp_or_backup_codes_enabled? returns false.