Add admin option to remove 2FA on /users API endpoint

Release notes

Adds the ability for admin users to remove a users 2FA through the Users API

Problem to solve

As a GitLab admin I want to be able to build my own tooling to manager the user lifecycle, including the ability to remove 2FA for a requesting user programmatically.

Intended users

• Cameron (Compliance Manager)
• Sidney (Systems Administrator)

User experience goal

A user with an admin API token should be able to use the API to remove 2FA for a user who has lost/forgotten their backup codes and primary token generator.

Proposal

Allow an admin to PUT /users/:id with the parameter "two_factor_enabled": false to remove 2FA from a user. This will not change the requirement to enable 2FA inherited from a group or global level.

For example: curl --request PUT --header "PRIVATE-TOKEN: <your_access_token>" --data "two_factor_enable=false" "https://gitlab.example.com/api/v4/user/1234"

Further details

Permissions and Security

Admin only

Documentation

https://docs.gitlab.com/ee/api/users.html#user-modification

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references