Wouldn't this be possible to circumvent if the user is allowed to switch TOTP devices? Are you saying you'd like a way to irrevocably tie this to a single TOTP secret? And you're not worried that someone could steal your TOTP secret and you'd be 100% powerless to stop them?
Perhaps I could have phrased it better. I meant don't let me disable 2FA without first authenticating using 2FA. So ignore any emails to support, 2FA reset links, secret questions, pleas for help, and anything else that would have you think that I no longer have access to my 2FA device and backup codes.
Changing devices is allowed but to do so I would authenticate using my password + 2FA prior to doing so.
Another option would be to make it an easily abortable multi-step process with a long delay timer, ie. you disable 2FA and an abortable 3-4 day timer starts ticking with frequent reminder mails inbetween. Once the timer is done, you can confirm the deactivation.
Video games have been doing similar things for character deletion for years, yet it is rarely if ever found for account credentials in general.
Wouldn't this be possible to circumvent if the user is allowed to switch TOTP devices? Are you saying you'd like a way to irrevocably tie this to a single TOTP secret? And you're not worried that someone could steal your TOTP secret and you'd be 100% powerless to stop them?