New 2FA Recovery Policies
2FA resets account for a large amount of our GitLab.com ticket volume (see #1522). While we have some progress on automating these steps, a better, more long-term solution might be to reevaluate our 2FA recovery process and policies. It may be more efficient to offer additional recovery methods (such as via SMS and PAT), which could give customers up to four different recovery methods (recovery codes, SSH key, SMS, PAT). Then, our policy could be that if a user is unable to use any of these recovery methods, their account is essentially lost. This is similar to GitHub's approach. I also believe this is ultimately better for security.
If support can determine that this would be effective, we could push an issue for gitlab-ce to add these features to the 2fa recovery process.