diff --git a/server/www/teleport/static/js/tp-const.js b/server/www/teleport/static/js/tp-const.js
old mode 100644
new mode 100755
index 5df2d8b..7a9cdeb
--- a/server/www/teleport/static/js/tp-const.js
+++ b/server/www/teleport/static/js/tp-const.js
@@ -212,6 +212,7 @@ var TPE_CAPTCHA_EXPIRED = 10000;
 var TPE_CAPTCHA_MISMATCH = 10001;
 var TPE_OATH_MISMATCH = 10002;
 var TPE_SYS_MAINTENANCE = 10003;
+var TPE_OATH_ALREADY_BIND = 10004;
 
 var TPE_USER_LOCKED = 10100;
 var TPE_USER_DISABLED = 10101;
@@ -314,6 +315,10 @@ function tp_error_msg(error_code, message) {
         case  TPE_SYS_MAINTENANCE:
             msg = '系统维护中';
             break;
+        
+        case TPE_OATH_ALREADY_BIND:
+            msg = '该账号已经绑定了身份验证器，如无法使用，请联系管理员重置密码或更换登陆方式';
+            break;
 
         case TPE_USER_LOCKED:
             msg = '账号已被锁定';
diff --git a/server/www/teleport/static/js/user/bind-oath.js b/server/www/teleport/static/js/user/bind-oath.js
old mode 100644
new mode 100755
index d9f8f42..4e59b8e
--- a/server/www/teleport/static/js/user/bind-oath.js
+++ b/server/www/teleport/static/js/user/bind-oath.js
@@ -182,7 +182,7 @@ $app.on_auth_user = function () {
     }
 
     $app.dom.auth.btn_submit.attr('disabled', 'disabled');
-    $tp.ajax_post_json('/user/verify-user', {username: str_username, password: str_password},
+    $tp.ajax_post_json('/user/verify-user', {username: str_username, password: str_password, check_bind_oath: true},
         function (ret) {
             $app.dom.auth.btn_submit.removeAttr('disabled');
             if (ret.code === TPE_OK) {
diff --git a/server/www/teleport/static/js/user/user-list.js b/server/www/teleport/static/js/user/user-list.js
old mode 100644
new mode 100755
index 65f0719..fb85bc1
--- a/server/www/teleport/static/js/user/user-list.js
+++ b/server/www/teleport/static/js/user/user-list.js
@@ -203,6 +203,8 @@ $app.on_table_users_cell_created = function (tbl, row_id, col_key, cell_obj) {
                 $app.dlg_edit_user.show_edit(row_id);
             } else if (action === 'reset-password') {
                 $app.dlg_reset_password.show_edit(row_id);
+            } else if (action === 'reset-oath-bind') {
+                $app._reset_oath_bind(user.id);
             } else if (action === 'lock') {
                 $app._lock_users([user.id]);
             } else if (action === 'unlock') {
@@ -349,6 +351,7 @@ $app.on_table_users_render_created = function (render) {
 
         h.push('<li role="separator" class="divider"></li>');
         h.push('<li><a href="javascript:;" data-action="reset-password"><i class="fa fa-street-view fa-fw"></i> 重置密码</a></li>');
+        h.push('<li><a href="javascript:;" data-action="reset-oath-bind"><i class="fa fa-street-view fa-fw"></i> 重置身份验证器</a></li>');
         h.push('<li role="separator" class="divider"></li>');
         h.push('<li><a href="javascript:;" data-action="remove"><i class="fa fa-times-circle fa-fw"></i> 删除</a></li>');
         h.push('</ul>');
@@ -547,6 +550,21 @@ $app.set_selected_to_role = function (role_id, role_name) {
 
 };
 
+$app._reset_oath_bind = function (users) {
+    $tp.ajax_post_json('/user/do-unbind-oath', {users: users},
+        function (ret) {
+            if (ret.code === TPE_OK) {
+                $tp.notify_success('重置身份验证器操作成功！');
+            } else {
+                $tp.notify_error('重置身份验证器操作失败：' + tp_error_msg(ret.code, ret.message));
+            }
+        },
+        function () {
+            $tp.notify_error('网络故障，重置身份验证器操作失败！');
+        }
+    );
+};
+
 $app._lock_users = function (users) {
     $tp.ajax_post_json('/user/update-users', {action: 'lock', users: users},
         function (ret) {
diff --git a/server/www/teleport/webroot/app/const.py b/server/www/teleport/webroot/app/const.py
old mode 100644
new mode 100755
index c029c0f..c3c9a5e
--- a/server/www/teleport/webroot/app/const.py
+++ b/server/www/teleport/webroot/app/const.py
@@ -198,6 +198,7 @@ TPE_CAPTCHA_EXPIRED = 10000
 TPE_CAPTCHA_MISMATCH = 10001
 TPE_OATH_MISMATCH = 10002
 TPE_SYS_MAINTENANCE = 10003
+TPE_OATH_ALREADY_BIND = 10004 
 
 TPE_USER_LOCKED = 10100
 TPE_USER_DISABLED = 10101
diff --git a/server/www/teleport/webroot/app/controller/__init__.py b/server/www/teleport/webroot/app/controller/__init__.py
old mode 100644
new mode 100755
index 6f1c56f..d141f5b
--- a/server/www/teleport/webroot/app/controller/__init__.py
+++ b/server/www/teleport/webroot/app/controller/__init__.py
@@ -78,6 +78,8 @@ controllers = [
     (r'/user/verify-user', user.DoVerifyUserHandler),
     #  - [json] 绑定身份认证器
     (r'/user/do-bind-oath', user.DoBindOathHandler),
+    #  - 取消绑定身份认证器
+    (r'/user/do-unbind-oath', user.DoUnBindOathHandler),  
     #
     #  - 用户组管理页面
     (r'/user/group', user.GroupListHandler),
diff --git a/server/www/teleport/webroot/app/controller/user.py b/server/www/teleport/webroot/app/controller/user.py
old mode 100644
new mode 100755
index 6085f70..4704179
--- a/server/www/teleport/webroot/app/controller/user.py
+++ b/server/www/teleport/webroot/app/controller/user.py
@@ -144,7 +144,12 @@ class DoVerifyUserHandler(TPBaseJsonHandler):
         except:
             return self.write_json(TPE_PARAM)
 
-        err, user_info = user.login(self, username, password=password)
+        try:
+            check_bind_oath = args['check_bind_oath']
+        except:
+            check_bind_oath = False
+
+        err, user_info = user.login(self, username, password=password, check_bind_oath=check_bind_oath)
         if err != TPE_OK:
             if err == TPE_NOT_EXISTS:
                 err = TPE_USER_AUTH
@@ -190,6 +195,28 @@ class DoBindOathHandler(TPBaseJsonHandler):
 
         return self.write_json(TPE_OK)
 
+class DoUnBindOathHandler(TPBaseJsonHandler):
+    def post(self):
+        ret = self.check_privilege(TP_PRIVILEGE_USER_DELETE)
+        if ret != TPE_OK:
+            return
+
+        args = self.get_argument('args', None)
+        if args is None:
+            return self.write_json(TPE_PARAM)
+        try:
+            args = json.loads(args)
+        except:
+            return self.write_json(TPE_JSON_FORMAT)
+
+        try:
+            users = args['users']
+        except:
+            return self.write_json(TPE_PARAM)
+
+        # 把oath设置为空就是去掉oath验证
+        err = user.update_oath_secret(self, users, '')
+        self.write_json(err)
 
 class OathSecretQrCodeHandler(TPBaseHandler):
     def get(self):
@@ -752,6 +779,11 @@ class DoResetPasswordHandler(TPBaseJsonHandler):
             if mode == 4 and err == TPE_OK:
                 user.remove_reset_token(token)
 
+            # 非用户自行修改密码的情况，都默认重置身份认证
+            if mode != 5 and err == TPE_OK:
+                print("reset oath secret")
+                user.update_oath_secret(self, user_id, '')
+
             self.write_json(err)
 
         else:
diff --git a/server/www/teleport/webroot/app/model/user.py b/server/www/teleport/webroot/app/model/user.py
old mode 100644
new mode 100755
index 0124d63..24d9d9e
--- a/server/www/teleport/webroot/app/model/user.py
+++ b/server/www/teleport/webroot/app/model/user.py
@@ -49,7 +49,7 @@ def get_by_username(username):
     return TPE_OK, s.recorder[0]
 
 
-def login(handler, username, password=None, oath_code=None):
+def login(handler, username, password=None, oath_code=None, check_bind_oath=False):
     sys_cfg = tp_cfg().sys
 
     err, user_info = get_by_username(username)
@@ -62,6 +62,10 @@ def login(handler, username, password=None, oath_code=None):
         # 尚未为此用户设置角色
         return TPE_PRIVILEGE, None
 
+    if  check_bind_oath == True and len(user_info['oath_secret']) != 0:
+        return TPE_OATH_ALREADY_BIND, None
+
+
     if user_info['state'] == TP_STATE_LOCKED:
         # 用户已经被锁定，如果系统配置为一定时间后自动解锁，则更新一下用户信息
         if sys_cfg.login.lock_timeout != 0: