Ideally users should setup two factors, one as a primary and one as a backup. e.g., WebAuthn as the primary and TOTP as the backup; or TOTP as the primary and Backup Codes as the backup.

Otherwise, they could get locked out of their account. On smaller sites an admin could reset them, but that's not practical on larger sites, or sites where the admin doesn't personally know the user.

Rough idea: