If a user has accidentally deleted the two-factor authentication settings in Google Authenticator or no longer has access to the app then it will be necessary to clear their secret key.
A user with user administration rights can do this by visiting the user's profile and choosing the Clear key button. If two-factor authentication is optional then they will now be able to log on without needing to supply a verification code. If it is mandatory then they will be given a new QR code to use with Google Authenticator the next time they attempt to log on.
Note that users cannot manage this process themselves unlike with forgotten passwords.