I see that a new user right, 'oathauth-disable-for-user', was added to Ex:OATHAuth, which allows its holders (by default: sysops; on WMF only those in the staff global group) to remove 2FA from any account. However by looking at the code of Ex:OATHAuth, I can't see the use of this extremelly sensitive feature is being logged anywhere.
For accountability, the use of this feature must be logged IMHO (for example, in the private suppression log or another ad-hoc private log) and a reason field should also be added so we know why User:Ticio disabled 2FA for User:Cayo.
(Maybe for another task: send an email to the registered preferences address to the user whose 2FA was disabled with details of who and why?)
Note: feature added per T195207 & logging seems to be discussed at T151010 & T210643? (can't access: but I see a revert patch without much information though - this is about on-wiki logging of on-wiki actions performed with wiki special pages not just in Logstash, etc.).