This is a misunderstanding. That user did not have any 2FA enabled for their Bitwarden account, or else they would not have been challenged with Bitwarden’s recently implemented “New Device Login Protection” (which sends an email verification code to users who have not enabled 2FA). Yes, customer service can disable “New Device Login Protection” on a case-by-case basis, but you should think of “New Device Login Protection” more as a nag mechanism for encouraging users to enable 2FA (which by itself completely disables the “New Device Login Protection” process).
What if you lose access to your hardware keys (or if they malfunction)? Are you willing to risk complete loss of all contents in your Bitwarden vault?
The main way would be to steal your personal 2FA Reset Code. Accessing this would require the attacker to either gain access to your web vault, or to steal the code by phishing or social engineering attacks, or by accessing your Emergency Sheet (the security of which you are in complete control of).
Another way to bypass the 2FA would be to access one of your devices on which you have previously used the “Remember Me” option when logging in to Bitwarden within the past 30 days.