Seeing as indeed U2F is the most universal tool in the shed at this point me too would favor to decline this and instead use T100373: WebAuthn (U2F) integration for Extension:OATHAuth. Since this would avoid developers for having to work with tons of device specific API's

A brute force attack on a 2FA enabled account is kinda impossible since the code changes every 30 second and you have 10.077.696 possible combinations i personally think the web server is able to handle that many request in 30 seconds

Give users a prompt on a timer stating users should save their backup codes or like i do for some of my applications only allow them to continue the 2FA setup if you detect they pressed the download button
Also dont forget to give massive warning texts they should be big and bold so users notice them and dont spam next

This is the problem with 2FA it supposed to be a system where the user needs something not digital to login a email account can be a hacked so if they manage to get a reset token mailed to them the physical aspect is away because there is now a digital access code in a email account which can be hacked. However it not viable to send a physical letter to every user who lost their 2FA. However for low-profile users without any additional permissions this is a option but its something you need to consider because its bound to in some way take away the physical aspect in my opinion we explicate state that if your lose your codes somehow your account is gone this of course would not apply to people who can physically ID themselves I.E an admin