Make 2FA management more flexible

Currently, we take an 'all-in-one' approach to 2FA management. Assuming you have a 2FA app, plus U2F device, let's say you want to now switch out your authentication app (because you got a new phone, for example). You will have to completely disable all forms of 2FA and start from scratch - registering your app, then your U2F device(s).

From a code standpoint, each of these things is separate - we can replace a 2FA app without disabling, and we can generate new recovery codes.

I understand that we do want to require an app in order to use U2F, so that piece can stay. However, we should allow a user to replace the app device without disabling everything.

2FA - Disabled

2FA - Enabled