Secure Token Woes and Needs


I am working with a client that has no central identity provider (no AD/LDAP, cloud, etc.) so all accounts are local and admins.

They are not using FileVault (don't get me started) at this time.

And, unsurprisingly, most people are working from home. So when a user has an issue logging in, he needs to be able to walk them through resetting their password.

I have implemented one of the many LAPS type systems out there to create a backdoor account with a rotating (but neatly available) password. The idea being that if someone is locked out, they can call in and get the current emergency password to get in and do what they need, namely resetting their password.

However, as you probably know, in order to reset a user's password, the account needs to have a secure token.

What workflows do you use and can be implemented to create a backdoor admin account that has the secure token as does the main user?

Based on Google and Jamf Nation searches this seems to have been a moving target a bit, so I'd like to get some up-to-date expert advice.