In T270823#6711836, @Urbanecm wrote:

Hmm, who can revoke OTRS 2FA? Does it require shell access?

In T263328#6476423, @Krenair wrote:

This worked in the past on OTRS 5 with e.g. oversight queues. I assumed it
was deliberate - the most sensitive part of a ticket is almost always going
to be the first article and in this case the agent has already seen it.

In T263328#6476414, @Kb03 wrote:

In OTRS 5 you could do the same thing with certain queues. I had a ticket get moved to permissions and I could still view and interact with it.

As another issue I see with this, the shared secret stays openly viewable in my preferences after being set. It's right below the password change fields, which ask for a 2FA token (presumably as a security check). Rather defeats the purpose of asking for that if you can just grab the secret and generate a code...

I was able to set it up in Google Authenticator without issue and it seems to be behaving. (Wouldn't let me log in with a blank or wrong code, and did let me log in with the right one.) It is somewhat confusing and fairly easy to mess up though. Agree with previous comment about documenting and communicating about the blank 2FA field when logging in. Manual entry of the shared secret seems like it would be fairly easy to accidentally brick your account, especially since I'm not seeing anywhere that it generates scratch codes.

As would I, just say the word