I was looking at the Advanced Protection Program and apparently activated it but I didn't have the required security keys, so it wasn't fully active. However, this deactivated my existing 2FA on the account which seems like it really shouldn't happen until my APP enrollment was completed.
That's how it works - you can enable advanced protection without actually having the keys set up yet. It is then automatically disabled (along with 2FA) 14 days later if you don't register the keys within the timeframe.
I agree that this sounds a bit backwards and easy to mess up, but I guess in an emergency situation it would be useful to protect your account while the U2F keys are still in the mail.
I didn't have the physical security keys needed for setup. So yes, that's my fault. But there was no warning that my existing 2FA would be deactivated if I didn't complete the setup. Plus, I only found out about this because I happened to check my security settings. If I didn't, I might not have noticed at all since I ask my devices to remember me so I rarely see the 2FA prompts anyway.
I'm sorry but this is like saying I wiped my computer but didnt have backups so my data is gone.