There's a server in my company which is configured with Google two-factor authentication.
A user from the company has lost his phone and can't find his emergency codes.
What can be done in order to recover his account?
Is is possible to enforce 2FA on specific groups in the server?
I've found the answer to my question and no one answered so I'll answer myself for future reference.
In order to enforce google 2 factor authentication on a specific group:
First, create a group or use an existing one, mine is called "gauth".
Then, edit /etc/ssh/sshd_config and add to the end of the file, just under "UsePAM yes", the following lines:
Match Group gauth
AuthenticationMethods publickey,keyboard-interactive
This setting means that every user which is part of the "gauth" group will be forced to supply public key + manually enter a password (in my case it's google authenticator's one time password).
In regard to my other question... how to recover an account when emergency codes are unavailable?
There is no way to recover the account without emergency keys, it is best to print your emergency codes and save them somewhere safe and offline.