The “Require two step authentication reset” option on the Edit User form should generate a new TOTP secret key for the user’s 2FA setup. Currently, this option only causes the user’s 2FA setup to be displayed as a QR Code at next login. However the secret key is not changed. The most likely need for this option is to allow the user to setup their authenticator app because their previous authenticator has been lost or stolen. Since the same secret key is used for the setup, the lost or stolen authenticator can still be used. THIS IS A FUNDEMENTAL AND SERIOUS SECURITY FLAW. NOTE: There is a current workaround to this problem. If the 2FA is disabled and enabled from the Security menu of the dashboard, then a new secret key is generated. However this requires the user to have Manage Computer permissions (otherwise they do not have a dashboard).