When users activate 2 factor authentication (2FA) in their personal settings, they need to provide a one-time passcode after entering their username and password at login.

However, sometimes bad things happen: lost of the phone or similar, and they cannot retrieve that passcode any more. If they also didn't save their backup codes, login would become impossible for them.

They should contact you, the system administrator then. You can then use this API request to disable their 2FA. After successful operation, they can login with just their username and password, and eventually reactivate their 2FA.