I am currently utilizing a trial for Bitwarden Enterprise edition and for the most part have been happy. However, upon doing some of my testing, I ran into a possible issue with 2FA.
If I had a user who lost their phone (and therefore their 2FA code) and that user did not have a recovery code, it doesn’t appear that an admin can remove 2FA from their account.
I also figured that I could get around this by forcing email to be setup as a 2FA option. But the 2FA policy is just enable/disable and therefore the user can disable email at will.
Doing some research I came across this page (Lost Secondary Device | Bitwarden Help & Support), but it seems to indicate that even with an Enterprise account admin’s are unable to reset / enable another form of 2FA for a users account.
Is this all correct, that there is no way for an admin to reset or remove a user’s 2FA setting, and in turn the only option is for the user to delete their account (and all their saved credentials) and start over?