Let’s say a user activate 2FA but then lose his phone and don’t have any recovery codes. Can an admin account be able to reset or disable 2FA to allow this user to recover his account?
Yes. Using occ you can disable an app for a user. Note however it says not all apps support being disabled this way.
A safer option is to install the two-factor admin support app. This will let you use occ to generate a one-time code for a user. Then they can log in and disable/fix their 2FA.
This method is also more secure because 2FA is still in effect on their account while they resolve their issue.
Does the Two Factor Admin Support app ONLY generate the special one-time codes via the “occ” interface?
Our application admins (as opposed to Syadmins) use the regular web interface only. Would they be able to use “Two Factor Admin Support” ?
@JohnITDH That particular app must be used from the Nextcloud server’s command line. See documentation for usage.
Feel free to make a feature request at GitHub if you think it will be used too often for the CLI to be prudent. I don’t think people lose their phones all that often.