I would recommend to enable both the policy and to require new members to enroll automatically if you want to avoid recovery issues in the future.
Unfortunately this requires the user to be added to the Org after this policy is enabled or the user will need to self-enroll if already a member of the Org prior to the policy being enabled.
Should have mentioned that at first but seems you found that notice anyways.
Turning on the Account recovery administration policy will allow owners and admins to use password reset to reset the master password of enrolled users. By default, users will need to self-enroll in password reset, however the automatic enrollment option can be used to force automatic enrollment of invited users.
The Account recovery administration policy is required for your organization to use SSO with trusted devices.
Note
The Single organization policy must be enabled before activating this policy.
So this will not assist if the policy is not currently enabled and the user has forgotten their credentials.
This would not have anything to do with logging in to the user’s account, this simply disables the option for the account to be Unlocked with PIN. I reccomend to lookup and review the differences between Vault Unlock and Vault Login
If the concern here was simply resetting 2FA that can be disabled via the Admin panel, but if they have forgotten their master password likely the only course of action then would be to delete the user from the backend admin panel, and invite the user again to your instance and have them added to your Org.
Otherwise then you may need to edit the DB manually to delete the account.