I've had this drama for years but fixed it completely using the method I posted above about enabling an authenticator application before disabling 2FA. I think my tracking and ad blockers were disabled at the time. I also cleared all the cookies for associated tracking domains.
Shortly after this fix, I bought a new computer and the issue returned with the new installation. I think it gets into some sort of corrupted state where it thinks a device is authorised but it isn't. An access token on the server or the client isn't been updated or replaced correctly.
I did the same thing, turned off all the tracking blockers, cleared all the cookies and enabled an athenticator application. This fixed the problem completely once again.
When it's broken, I always get prompted for a code from my phone if I've been idle for three hours. When it's fixed, it works exactly as expected. You can enable and disable 2FA at will and it will remember your authorised browser even if 2FA is on. This is the behaviour QB see, which is possibly why they don't understand the problem. Since rectifying the issue again on this new computer, it's never asked for a 2FA code.
Support have no idea about the issue and all the cut and paste responses from staff in this forum are useless at best.
It's probably a fairly complicated critical section of code with a small number of developers who have restricted access. It's unlikely it will ever be fixed if it's been broken for so many years.
I've spent a bit of time trying to break it again so I can say exactly what the issue is but I can't. It's behaving normally for me now as if the bug has been resolved but we all know it still exists.
