### Summary When using two factor, given that the two-factor shared key and password are stored on the same device, it effectively becomes one factor. I'm registered my primary and backup U2F devices on my GitLab account to make up for this. However, I cannot remove the previous authentication method: two-factor codes. This basically allows trivially circumventing any potential security that using U2F devices could provide. ### Steps to reproduce 1. Register a U2F device (e.g.: a yubikey). 2. Register a U2F backup device. ### What is the current *bug* behavior? I cannot remove the two-factor authentication from my account. U2F can be circumvented, and both the password and two-factor key are stored on the same device: my phone. ### What is the expected *correct* behavior? I should be able to remove the less-secure 2FA from my account if I've set up U2F. This kinda reminds me of sites where I can turn on 2FA-TOTP, but must leave on some other more insecure way to bypass it. ### Possible fixes When a user registers two U2F devices, allow them to remove 2FA as an option. I say _two_ since it's standard practice to keep a backup.