Hi,
I would enable 2FA and generate a strong password for the root account which you’ll put into your company’s “password safe”.
While you can reset/enable accounts using the rails console on your server, there could be situations where you need immediate admin actions and no other logins available. Then you’ll have the documented way of using the root login with 2FA and the password safe.
Disabling the account also is an option, depending on your emergency workflows.
Cheers,
Michael