Currently, if the user loose control of the authentication device and looses their HOTP codes as well, accounts with 2fa enabled can't be recovered. Our current guidelines set out at Wikitech requires, for any op to unenroll any user from 2fa in this cases, to confirm the identity of the account. While this can happen in other ways as well, said guidelines indicates that a committed identity can be used to provide such a proof.
My idea is that, when enabling 2fa, we could optionally allow the user to enter some secret word or phrase and generate a SHA-512 or Whirlpool (whichever is more secure, or other more secure). If generated, the hash could be stored in a Special page, such as Special:CommittedIdentities. We should enphatize that the user should remember the word or phrase he choose as that'll be used to confirm the identity of the account.
In the event of an account compromise where the user have lost their HOTP scratch codes and/or does not remember their password, etc, the op could access the special page and see the hash, and using a secure method of communication, ask the user for the phrase, compare the hash and confirm the identity of the account to proceed with the password reset.
Thank you.