If the user has successfully provided the login code, but they forgot the 2FA password, the account should be reset: this can be done using account.deleteAccount.
If the account's 2FA password was modified more than 7 days ago and was active in the last 7 days, account deletion will be delayed for 7 days, and a service message will be sent to the user, containing a link in one of the following formats:
https://telegram.me/confirmphone?phone=XXX&hash=YYYYtg://confirmphone?phone=XXX&hash=YYYYWhen clicked, account.sendConfirmPhoneCode must be called with the specified hash, using the account with the specified phone number.
This will send a phone number verification code to the phone number associated with the account.
The phone code settings are the same as for the login code, and auth.cancelCode with auth.resendCode can be used as well, to resend or cancel the phone code as for the login code.
Once the SMS code is received, the account.confirmPhone method will have to be called with the SMS code and the phone hash received from the account.sendConfirmPhoneCode method.
This will cancel deletion of the account and will log out the user that tried to reset it. Otherwise, if the number isn't confirmed in 7 days, the account will be deleted and the user will be free to recreate it.
How to register a user's phone to start using the API.