Best practice for resetting a user's MFA?

I'm putting together an API for a project, and one of the requirements is MFA. I'm using TOTP and that all works. I also have facilities to clear the MFA token and regenerate / re-enroll the secret, but I'm wondering what the best practice is for invoking that.

Essentially I need a "forgot password" but for their MFA method (e.g. if they lose their phone or MFA secret).

Would a valid password + validation email be sufficient? Or should I require the user to contact the administrators to reset the MFA? Or something else?

Implementation Notes:

• MFA is required for a password reset, so if their email is compromised, the attacker wouldn't necessarily be able to set a new password
• A valid email address is required and verified at signup.
• If they lose access to their email and MFA, they will have to contact the application administrators for assistance.
• This isn't a "high stakes" application (e.g not banking, healthcare, etc) but I do want to make sure accounts are reasonably secure.