Only the user himself can recover it, not an admin.
Currently you can only switch the requirement off for everyone, so the user can login and recover the code or register a new one.
To delete all 2FA codes of a specific user in the database, you need to know the account_id of that user (eg. by enabling the Id column in Admin > Accounts, or looking it up in egw_accounts table) and then run the following SQL:
DELETE FROM egw_ea_credentials WHERE account_id=? AND cred_type=32
You need to replace the ? with the account_id of that user.