Well, as you know, extra security comes at the cost of ease-of-use… And in this case, extra burden on you.
If the impacted user still has their one-time-password, then they can reset their own device or move to a new one, from their
Account Settings page.
That is the whole point of the Multiple Factor Authentication: an additional
proof is needed (wether in the form of a password, a device, a list, access to a specific email account, etc.).
The email account is the fallback for the password. The code list is the fallback for the device. You cannot have the same fallback method for 2 of your factors as it defeats the purpose.
If they don’t have their code list, then you really need to be involved. I do not see another way at this time to securely do the device reset.
The options I see for you are:
- get a backup admin. You being the only one seems a dangerous situation anyway, not even considering your 2FA woes.
- better education of your user base. They have to know how important (and useful) their code list is. If they don’t understand the need for the extra security (or don’t buy into it), they need to be convinced or taught about the importance of managing their 2FA info properly
- do you really need 2FA ? Or more to the point, is the extra cost (in your time) warranted ? If it is used only for your Shotgun server and not for your other company tools, why the extra security ? (the answer may very well be
Yes, we need 2FA I just want to ensure that someone has indeed considered this and not just enabled 2FA out of habit)
- for clients with Super Awesome support, they may consider moving to SSO. Then the 2FA aspect is controlled at the company level. Then it is no longer your concern as a Shotgun admin. And since SSO is usually needed for a series of services in the daily life of the users, Shotgun is not the special snowflake in the lot.
Sorry for not bringing you the answer/work-around you were hoping for,