He needs 2 out of 3 xprivs or 2 out of 3 address specific private keys since it's a multisig wallet.
You are right, i somehow missed it
Thanks for pointing out, i fixed it.
Best option is to contact trusted coin as you said. If he controls the email he used to create the wallet I'm sure he can get them to reset 2fa for him.
Unfortunately the chance of getting it back is relatively low, i'd say.
Even though some user have reported they successfully got their 2FA reset, the majoritiy said TrustedCoin refuses to reset it (which is reasonable because it would open a new attack vector).