As an administrator I need to be able to turn off tfa for specific users

[aweingarten]

Currently a user must login as an admin, attempt to turn it off 2fa for a user, get prompted for a password and then enter the password.

Its impossible to do this for an admin that relies on drush uli to turn off 2fa. You get prompted for a password you don't know! Administrators should be able to disable 2fa without being prompted for a password.

[nerdstein]

The same could be said for the Masquerade module, but that would be after a user is logged in

[nerdstein]

@aweingarten --- what do you think the best way to solve this is? clearly we need to keep the security intact but walk us through what you think would be a good means for resolving this.

[nerdstein]

We need a permission that bypasses the secondary password check if you have the permission.

Basically, as an admin, I could be granted a "manage user tfa" permission which would NOT prompt me for a secondary password check

[aweingarten]

We already have an "Administer users" permission which is used to manage users and password. Can reuse that.

Keep "Administer TFA" for the global site wide settings.

[therealssj]

yes, administer users seems to be better, was just writing that.
It is already used in TFA at some positions.

[nerdstein]

I like that idea.