That's a legitimate concern, but I presume that the use case here is that an account would already have an authenticator code on their account so that they don't have to encounter this scenario. I mean, the means to secure one's account are there and aren't too hard to implement; why take your chances with it?
"Players now need to wait 7 days to remove Ironman mode, in case a player has been hijacked. This can be bypassed by registering an authenticator to the account."
So now you hijack the account, register an authenticator and remove Ironman?
Then what's the point in having the 7 days wait period at all?