Admin feature: Ability to safely reset MFA for end users

What feature would you like implemented? (Please give us a brief description of what you'd like.) Hello!,

I would like to submit for the community's consideration the (optional) ability for server owners/admins to choose to enable on build config the ability to easily and safely reset MFA for an end user.

Currently, after discussing with the community on discord it was found that if an end user suffers an incident where they loose their MFA token (damaged phone for example, assuming their MFA solution used a non-cloud synced option) there are two ways to resolve this

1 - An admin will need to run SQL commands to edit db entries and disable MFA
2 - The end user will have to abandon their account and is out of luck. They can't even migrate their data to a new account if they are locked out.

It appears admins can reset passwords for end users without problem, but MFA has been deliberately skipped by Misskey over time. Discussion on discord seems to recall this being a decision possibly based on Misskey culture where this is by design for the core Misskey instance where they do not want to allow MFA resets given it's size and extremely generalized audience.

While the SQL commands option seems to exist, I believe this adds unnecessary overhead to the goal of helping end users. For one, this is not easily documented anywhere and requires digging to figure out, and instead of making this a button in UI, the admin (if responsible) will need to execute backups of their server before running these commands in case they run the risk of a syntax error messing something up on the account/db.

But, with that said I would petition that Sharkey caters more to communities as opposed to large general instances and it makes complete sense that admins would want to actually help their end users, often on smaller communities where they have personal relationships with them and can easily verify identity using alternate channels.

I considered some of the philosophy mentioned for misskey being originally designed for a general audience and compared it to my (still active but almost shut down) mastodon instance.

As a sysadmin, many of us have handled MFA resets in O365/google workspace, and many other tools for our end users over the years without issue. Even mastodon, which claims to be community oriented offers this feature!

I think my final remark introducing the concept of the feature was the added note about freedom of choice. Maybe some admins agree and do not want to allow this to be done via UI.

If this could be added as a config item, it would be 100% admin choice to enable it.

Why should we add this feature? (Please give us a brief description of why your feature is important.)

I believe that the logic that people who wish to take their security more seriously, are penalized in an event of loss (hypothetical phone loss or other) with a permanent account lockout, but those with lesser security postures can easily regain access to their accounts with admin help is a bit flawed. Admins should have the option to help their communities in intuitive straightforward manners.

With the conversation from the discord in mind, I believe that this type of feature certainly seems like it would make sense belonging on the soft fork Shakrey with more care for communities and it's end users.

Version (What version of Sharkey is your instance running? You can find this by clicking your instance's logo at the top left and then clicking instance information.) 2024.3.3

Instance (What instance of Sharkey are you using?) https://oshi.social/

Contribution Guidelines By submitting this issue, you agree to follow our Contribution Guidelines

I agree to follow this project's Contribution Guidelines
I have searched the issue tracker for similar requests, and this is not a duplicate.

✓ 2 of 2 checklist items completed · Edited 9 months ago

Admin feature: Ability to safely reset MFA for end users

Designs

Child items ...

Activity