Two factor authentication is certainly something that a user should never be able to reset for themself. That would be a security vulnerability. The system administrator will need to do that for the instructors. There is a wwsh script bin/reset2fa that the system administrator can use to reset the OTP secret for a user. Execute "wwsh ./bin/reset2fa courseId userId" from the /opt/webwork/webwork2 directory.
In the next release of WeBWorK there will be a page in the admin course that you can manage OTP secrets for users on.