Our company stores some documents in Projectplace with such high security level that the users need to have the two way identification feature activated. This feature can only be activated by the user him- or herself, not from the administration center. So far so good (although it would have been more convenient if it could be done by admin).
But the problem comes when we realise that the user also can deactivate the same feature whenever he or she feels like. Our suggestion is that when a two way identification has been activated, it can only be deactivated by a top administrator.