don't disable 2fa, generate backup codes instead

service/nextcloud.md

@@ -295,14 +295,15 @@ TODO
 
 # How-to
 
-## Disabling 2FA for another user
+## Reseting 2FA for another user
 
 If someone manages to lock themselves out of their two-factor
-authentication, they might ask you for help. First, you need to make
-absolutely sure they are who they say they are. Typically, this
-happens with an OpenPGP signature of a message that states the current
-date and the actual desire to reset the 2FA mechanisms. For example, a
-message like this:
+authentication, they might ask you for help. 
+
+First, you need to make absolutely sure they are who they say they
+are. Typically, this happens with an OpenPGP signature of a message
+that states the current date and the actual desire to reset the 2FA
+mechanisms. For example, a message like this:
 
     -----BEGIN PGP SIGNED MESSAGE-----
 
@@ -317,7 +318,7 @@ This is to ensure that such a message cannot be "replayed" by an
 hostile party to reset 2FA for another user. 
 
 Once you have verified the person's identity correctly, you need to
-"impersonate" the user and disable their 2FA, with the following path:
+"impersonate" the user and reset their 2FA, with the following path:
 
  1. log into Nextcloud
  2. hit your avatar on the top-right
@@ -330,8 +331,5 @@ Once you have verified the person's identity correctly, you need to
  7. hit the avatar on the top-right again
  8. select "Settings"
  9. on the left menu, select "Security"
- 10. disabling 2FA can take many forms here, either:
-    * uncheck the "Enable TOTP' checkbox, if checked
-    * if a device is present, you can remove it
-    * or, even better, generate new backup codes and send them
-      (encrypted, of course) to the user
+ 10. click the "regenerate backup codes" button and send them one of
+     the codes, encrypted