I have my MFA setup with both Yubikey and Google Authenticator (with GRID as a paper backup). My thought there is that if my Yubikey is lost, I will probably still have my phone. If my Yubikey and phone are lost, something very bad has happened.
But, my concern here is that to disable Yubikey and get to the Google Authenticator option, I need access to my email box. I guess I understand this, but I'm not trying to disable 2FA totally, just get to the next (equally valid) option.
Can we get an option to simply select from "any available" 2FA options that are enabled for the account? I suppose you could argue that this gives a broader attack surface, but since it would be valid for me to only have Google Authenticator (or SMS, for that matter) as my 2FA options, allowing me to say "any of the above" should be fine (especially if that's a user-configurable feature).
Edit: the crux of the problem here is that if I lose access to my Yubikey I must *know* my email password to bypass the 2FA. But, I don't know my email password from memory because it is high entropy and stored in Lastpass.
tl;dr enable an option to use "any available" Multifactor Authentication. Available = An option you have configured for your account.