Is it possible to set 2FA so that it cannot be undone in any way - password for /etc/pam.d/common-auth or total deactivation rescue mode?

I would like to be sure that without knowing the password no one can delete / edit the 2FA credentials etc can I securely password protect them or are there other ways to achieve such a result? I explain exactly how I see it . Folder with file /etc/pam.d/common-auth - gives information that linux is supposed to require 2FA code. On the system every operation requires me to code - root login or sudo command. The problem is - that in rescue mode this entry without a problem can be deleted and thus disable 2FA - that is 2FA in principle has no meaning if I can disable it without having the 2FA code. There is a topic similar to mine (but with U2F). But there the author has concerns that if he loses the U2F conflict he will lose access to the system. Why no answer wrote such a simple workaround as rescue mode ? It is a little strange https://askubuntu.com/questions/1167691/passwordless-login-with-yubikey-5-nfc/But There were really a lot of answers there, and everyone warns that he may lose access to the system. So I'll ask again. Is it possible to set 2FA so that it cannot be undone in any way (like editing a common-auth file in rescue mode?