User Problem

Currently, managed accounts cannot remove their own two-step verification (2FA). Only organization admins can remove 2FA on behalf of a managed user. This creates unnecessary friction and operational overhead:

• Users who need to change their 2FA method (e.g., new phone, lost authenticator app) must raise a request to their org admin and wait for manual removal before they can re-enroll.

• Users often don't know who their organization admins are. There is no easy way for a managed account user to identify or contact the correct admin to request 2FA removal, leading to confusion, support tickets, and delays.

• Org admins are burdened with routine 2FA removal requests that could safely be self-serviced by the user, especially in large organizations with hundreds or thousands of managed accounts.

Suggested Solution

Add a configurable option within Authentication Policies that allows org admins to grant managed accounts the ability to self-service remove their own 2FA. Specifically:

1. New policy toggle — Within an authentication policy, add a setting such as: "Allow users to remove their own two-step verification" (default: off, preserving current behavior).

1. Per-policy granularity — Since authentication policies can be applied to different user subsets, admins could enable self-service 2FA removal for some groups (e.g., low-risk internal users) while keeping it admin-only for others (e.g., privileged accounts).

1. Audit logging — When a managed user self-removes their 2FA, log the event in the org audit log so admins retain visibility.

Why This Is Important

• Reduces admin toil: Routine 2FA resets are one of the most common managed-account admin tasks. Self-service eliminates this bottleneck.

• Improves user experience: Users can resolve their own 2FA issues (lost device, app migration) without waiting on an admin they may not even know how to reach.

• Maintains security — The feature is opt-in per policy, so admins retain full control. Combined with re-enrollment enforcement, users never operate without 2FA

• Scales for large orgs:  Organizations with thousands of managed accounts cannot sustainably handle every 2FA removal manually.

Current Workaround

Users must identify and contact their org admin to manually remove 2FA from their managed account via the admin console. Many users do not know who their org admin is, and there is no in-product mechanism to surface this information. If the admin is unavailable (different timezone, on leave, etc.), the user is locked out of changing their 2FA method until the admin acts. There is no self-service path.