Reset password via email. Reset second factor via email. Email is the only factor, neither password nor the 2fa.
Usually, the actual login is not the easiest target for an attacker, the recovery methods are. You call a helpline to get a second SIM for SMS codes. You guess (or dig up) answers to recovery questions if available. You get access to email accounts, e. g. via phishing.
If a recovery path for a security factor is weak, it ceases to be a security factor. By allowing both password and the second factor to be recoverable via email, both factors collapse into one: get access to the email and you’re in.
Reset password via email. Reset second factor via email. Email is the only factor, neither password nor the 2fa.
Usually, the actual login is not the easiest target for an attacker, the recovery methods are. You call a helpline to get a second SIM for SMS codes. You guess (or dig up) answers to recovery questions if available. You get access to email accounts, e. g. via phishing.
If a recovery path for a security factor is weak, it ceases to be a security factor. By allowing both password and the second factor to be recoverable via email, both factors collapse into one: get access to the email and you’re in.