Hello,
When calling UserMfaSession.destroy the mfa_credentials cookie is not destroyed at all.

It seems the GoogleAuthenticatorRails.destroy method requires the current domain as specified on https://api.rubyonrails.org/classes/ActionDispatch/Cookies.html

I will send a PR for that

if you're using cookies the method to be used to delete the cookie is via UserMfaSession::destroy. right?

Yep!