Do we require admins have MFA already by default on Phacility?

No. We do perform MFA checks if they enable it, but we don't currently require it (and don't have UI hints to suggest that they configure it).

This is sort of the blocker for that, since I'm hesitant to get everyone on MFA when we don't have a plan on stripping/resetting. I'd probably want to show a suggestion to users with no MFA and at least one administrated instance ("Hey, configure MFA for extra security when you have a chance.") if we had a clearer direction here.

I also guess I can build the actual instance-strip operation regardless of the central-account-strip operation, since if administrators configure only instance MFA then central MFA compromise likely allows an attacker some kind of access anyway (at a minimum, they can add an account they control to the instance as a member, which is likely nearly as bad as compromising an administrative account fully).

Yeah I assume we want admin to have the beefiest set of protection.

One idea is that we could let you designate peers (either explicitly, or implicitly by sharing administrative control with them? -- but probably explicitly) who are permitted to strip your MFA tokens.

That is, the workflow would be:

• UI says "If you lose your phone and your MFA backup codes, you won't be able to access your account. You can designate peers who you trust to remove MFA from your account. If you lose your phone, you'll be able to ask them for help to regain access.".
• I go designate that I trust you to strip MFA.
• I lose my phone.
• I go over to your house and give you the secret handshake, then say "Please strip my MFA."
• You log in, strip my MFA, and then I'm back in.

This generally doesn't let an attacker expand access (at best, they can compromise accounts sideways, which isn't too valuable) and is hands-off for us and legitimately pretty secure. Seems reasonably easy for users to understand, too. So I generally like this approach.