As an administrator I'm not able to remove the last second factor of an account at the moment, if that user is forced to have a second factor.
If that user has lost his access to his OTP, he might not be able to login anymore. Therefore an admin should always be allowed to remove the last second factor of other users (not himself!), no matter what roles etc. they have to help with issues with lost second factors (broken phone, ...).
As an administrator I'm not able to remove the last second factor of an account at the moment, if that user is forced to have a second factor. If that user has lost his access to his OTP, he might not be able to login anymore. Therefore an admin should always be allowed to remove the last second factor of other users (not himself!), no matter what roles etc. they have to help with issues with lost second factors (broken phone, ...).