To protect user accounts, ShadowMap follows the same security model used by leading platforms: admins can’t directly “reset” a user’s 2FA because the TOTP secret must remain known only to the user’s device. Instead, we’ve enabled a secure recovery path.
What’s now supported
- Temporarily disable 2FA (admin action): Allows the user to sign in and reconfigure 2FA on their own device.
- Generate a one-time recovery code (admin action): Admins can create a single-use code and share it with the user. The user logs in with the recovery code and then resets their 2FA immediately.
Recommended flow
- Admin generates a one-time recovery code (or disables 2FA temporarily).
- User signs in using that recovery method.
- User re-enables 2FA by scanning a fresh QR code on their phone.
- User stores new backup codes for future recovery.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article