you can use generaterecoveryresponsecode to do a c/r token change for someone at the pre-boot screen, but no, there's no way to set a users token type through the api, as most tokens require insertion and/or UI.
So what would you suggest if a user lost his smartcard and we have to provide a single factor authentication (password token) till the user receives the new card.
Should the MEE admin go and change the token type of the user manually in MEE Manager?
Would that take effect after endpoint to MEE synchronization?
yes, if you want to make a permanent change to the policy, you need to do that in EEM - changes made with the recovery system only last until the next connection back to EEM.
Go thru a user recovery and select Change token and select Password only token. On console select the user and change token to password only---it will prompt with password change. You can hit OK and it will change to Password only token---or you can hit Canel and hit apply---it will prompt you if you want to change token. Here is the thing though---machine needs to synch to get changed user token or it will be looking for the smart card per next reboot.