Make 2FA management more flexible
Currently, we take an 'all-in-one' approach to 2FA management. Assuming you have a 2FA app, plus U2F device, let's say you want to now switch out your authentication app (because you got a new phone, for example). You will have to completely disable all forms of 2FA and start from scratch - registering your app, then your U2F device(s). Additionally, if you lost your recovery codes, you will have to completely disable 2FA and start again.
From a code standpoint, each of these things is separate - we can replace a 2FA app without disabling, and we can generate new recovery codes.
I understand that we do want to require an app in order to use U2F, so that piece can stay. However, we should allow a user to replace the app device without disabling everything.
Here is a POC UI I put together to address this idea. It's not perfect, so I'd appreciate some input from UX in GitLab FOSS.