diff --git a/services/identity/src/grpc_services/authenticated.rs b/services/identity/src/grpc_services/authenticated.rs
--- a/services/identity/src/grpc_services/authenticated.rs
+++ b/services/identity/src/grpc_services/authenticated.rs
@@ -29,10 +29,13 @@
   OutboundKeysForUserRequest, OutboundKeysForUserResponse,
   PeersDeviceListsRequest, PeersDeviceListsResponse,
   PrimaryDeviceLogoutRequest, PrivilegedDeleteUsersRequest,
-  RefreshUserPrekeysRequest, UpdateDeviceListRequest,
-  UpdateUserPasswordFinishRequest, UpdateUserPasswordStartRequest,
-  UpdateUserPasswordStartResponse, UploadOneTimeKeysRequest,
-  UserDevicesPlatformDetails, UserIdentitiesRequest, UserIdentitiesResponse,
+  PrivilegedResetUserPasswordFinishRequest,
+  PrivilegedResetUserPasswordStartRequest,
+  PrivilegedResetUserPasswordStartResponse, RefreshUserPrekeysRequest,
+  UpdateDeviceListRequest, UpdateUserPasswordFinishRequest,
+  UpdateUserPasswordStartRequest, UpdateUserPasswordStartResponse,
+  UploadOneTimeKeysRequest, UserDevicesPlatformDetails, UserIdentitiesRequest,
+  UserIdentitiesResponse,
 };
 use super::protos::unauth::Empty;
 
@@ -660,6 +663,25 @@
     Ok(Response::new(response))
   }
 
+  #[tracing::instrument(skip_all)]
+  async fn privileged_reset_user_password_start(
+    &self,
+    _request: tonic::Request<PrivilegedResetUserPasswordStartRequest>,
+  ) -> Result<
+    tonic::Response<PrivilegedResetUserPasswordStartResponse>,
+    tonic::Status,
+  > {
+    unimplemented!()
+  }
+
+  #[tracing::instrument(skip_all)]
+  async fn privileged_reset_user_password_finish(
+    &self,
+    _request: tonic::Request<PrivilegedResetUserPasswordFinishRequest>,
+  ) -> Result<tonic::Response<Empty>, tonic::Status> {
+    unimplemented!()
+  }
+
   #[tracing::instrument(skip_all)]
   async fn get_device_list_for_user(
     &self,
diff --git a/shared/protos/identity_auth.proto b/shared/protos/identity_auth.proto
--- a/shared/protos/identity_auth.proto
+++ b/shared/protos/identity_auth.proto
@@ -69,6 +69,13 @@
   rpc PrivilegedDeleteUsers(PrivilegedDeleteUsersRequest) returns
     (identity.unauth.Empty) {};
 
+  // Called by Comm staff to reset user passwords. Usage is strictly limited to
+  // accounts that have requested a password reset.
+  rpc PrivilegedResetUserPasswordStart(PrivilegedResetUserPasswordStartRequest)
+    returns (PrivilegedResetUserPasswordStartResponse) {};
+  rpc PrivilegedResetUserPasswordFinish
+    (PrivilegedResetUserPasswordFinishRequest) returns
+    (identity.unauth.Empty) {};
 
   /* Device list actions */
 
@@ -251,6 +258,28 @@
   repeated string user_ids = 1;
 }
 
+// PrivilegedResetUserPassword
+
+message PrivilegedResetUserPasswordStartRequest {
+  // Initiate PAKE registration with new password
+  bytes opaque_registration_request = 1;
+  string username = 2;
+}
+
+message PrivilegedResetUserPasswordStartResponse {
+  // Identifier used to correlate start request with finish request
+  string session_id = 1;
+  // Continue PAKE registration on server with new password
+  bytes opaque_registration_response = 2;
+}
+
+message PrivilegedResetUserPasswordFinishRequest {
+  // Identifier used to correlate start and finish request
+  string session_id = 1;
+  // Complete PAKE registration with new password
+  bytes opaque_registration_upload = 2;
+}
+
 // GetDeviceListForUser
 
 message GetDeviceListRequest {
diff --git a/web/protobufs/identity-auth-client.cjs b/web/protobufs/identity-auth-client.cjs
--- a/web/protobufs/identity-auth-client.cjs
+++ b/web/protobufs/identity-auth-client.cjs
@@ -932,6 +932,128 @@
 };
 
 
+/**
+ * @const
+ * @type {!grpc.web.MethodDescriptor<
+ *   !proto.identity.auth.PrivilegedResetUserPasswordStartRequest,
+ *   !proto.identity.auth.PrivilegedResetUserPasswordStartResponse>}
+ */
+const methodDescriptor_IdentityClientService_PrivilegedResetUserPasswordStart = new grpc.web.MethodDescriptor(
+  '/identity.auth.IdentityClientService/PrivilegedResetUserPasswordStart',
+  grpc.web.MethodType.UNARY,
+  proto.identity.auth.PrivilegedResetUserPasswordStartRequest,
+  proto.identity.auth.PrivilegedResetUserPasswordStartResponse,
+  /**
+   * @param {!proto.identity.auth.PrivilegedResetUserPasswordStartRequest} request
+   * @return {!Uint8Array}
+   */
+  function(request) {
+    return request.serializeBinary();
+  },
+  proto.identity.auth.PrivilegedResetUserPasswordStartResponse.deserializeBinary
+);
+
+
+/**
+ * @param {!proto.identity.auth.PrivilegedResetUserPasswordStartRequest} request The
+ *     request proto
+ * @param {?Object<string, string>} metadata User defined
+ *     call metadata
+ * @param {function(?grpc.web.RpcError, ?proto.identity.auth.PrivilegedResetUserPasswordStartResponse)}
+ *     callback The callback function(error, response)
+ * @return {!grpc.web.ClientReadableStream<!proto.identity.auth.PrivilegedResetUserPasswordStartResponse>|undefined}
+ *     The XHR Node Readable Stream
+ */
+proto.identity.auth.IdentityClientServiceClient.prototype.privilegedResetUserPasswordStart =
+    function(request, metadata, callback) {
+  return this.client_.rpcCall(this.hostname_ +
+      '/identity.auth.IdentityClientService/PrivilegedResetUserPasswordStart',
+      request,
+      metadata || {},
+      methodDescriptor_IdentityClientService_PrivilegedResetUserPasswordStart,
+      callback);
+};
+
+
+/**
+ * @param {!proto.identity.auth.PrivilegedResetUserPasswordStartRequest} request The
+ *     request proto
+ * @param {?Object<string, string>=} metadata User defined
+ *     call metadata
+ * @return {!Promise<!proto.identity.auth.PrivilegedResetUserPasswordStartResponse>}
+ *     Promise that resolves to the response
+ */
+proto.identity.auth.IdentityClientServicePromiseClient.prototype.privilegedResetUserPasswordStart =
+    function(request, metadata) {
+  return this.client_.unaryCall(this.hostname_ +
+      '/identity.auth.IdentityClientService/PrivilegedResetUserPasswordStart',
+      request,
+      metadata || {},
+      methodDescriptor_IdentityClientService_PrivilegedResetUserPasswordStart);
+};
+
+
+/**
+ * @const
+ * @type {!grpc.web.MethodDescriptor<
+ *   !proto.identity.auth.PrivilegedResetUserPasswordFinishRequest,
+ *   !proto.identity.unauth.Empty>}
+ */
+const methodDescriptor_IdentityClientService_PrivilegedResetUserPasswordFinish = new grpc.web.MethodDescriptor(
+  '/identity.auth.IdentityClientService/PrivilegedResetUserPasswordFinish',
+  grpc.web.MethodType.UNARY,
+  proto.identity.auth.PrivilegedResetUserPasswordFinishRequest,
+  identity_unauth_pb.Empty,
+  /**
+   * @param {!proto.identity.auth.PrivilegedResetUserPasswordFinishRequest} request
+   * @return {!Uint8Array}
+   */
+  function(request) {
+    return request.serializeBinary();
+  },
+  identity_unauth_pb.Empty.deserializeBinary
+);
+
+
+/**
+ * @param {!proto.identity.auth.PrivilegedResetUserPasswordFinishRequest} request The
+ *     request proto
+ * @param {?Object<string, string>} metadata User defined
+ *     call metadata
+ * @param {function(?grpc.web.RpcError, ?proto.identity.unauth.Empty)}
+ *     callback The callback function(error, response)
+ * @return {!grpc.web.ClientReadableStream<!proto.identity.unauth.Empty>|undefined}
+ *     The XHR Node Readable Stream
+ */
+proto.identity.auth.IdentityClientServiceClient.prototype.privilegedResetUserPasswordFinish =
+    function(request, metadata, callback) {
+  return this.client_.rpcCall(this.hostname_ +
+      '/identity.auth.IdentityClientService/PrivilegedResetUserPasswordFinish',
+      request,
+      metadata || {},
+      methodDescriptor_IdentityClientService_PrivilegedResetUserPasswordFinish,
+      callback);
+};
+
+
+/**
+ * @param {!proto.identity.auth.PrivilegedResetUserPasswordFinishRequest} request The
+ *     request proto
+ * @param {?Object<string, string>=} metadata User defined
+ *     call metadata
+ * @return {!Promise<!proto.identity.unauth.Empty>}
+ *     Promise that resolves to the response
+ */
+proto.identity.auth.IdentityClientServicePromiseClient.prototype.privilegedResetUserPasswordFinish =
+    function(request, metadata) {
+  return this.client_.unaryCall(this.hostname_ +
+      '/identity.auth.IdentityClientService/PrivilegedResetUserPasswordFinish',
+      request,
+      metadata || {},
+      methodDescriptor_IdentityClientService_PrivilegedResetUserPasswordFinish);
+};
+
+
 /**
  * @const
  * @type {!grpc.web.MethodDescriptor<
diff --git a/web/protobufs/identity-auth-client.cjs.flow b/web/protobufs/identity-auth-client.cjs.flow
--- a/web/protobufs/identity-auth-client.cjs.flow
+++ b/web/protobufs/identity-auth-client.cjs.flow
@@ -109,6 +109,20 @@
                response: identityStructs.Empty) => void
   ): grpcWeb.ClientReadableStream<identityStructs.Empty>;
 
+  privilegedResetUserPasswordStart(
+    request: identityAuthStructs.PrivilegedResetUserPasswordStartRequest,
+    metadata: grpcWeb.Metadata | void,
+    callback: (err: grpcWeb.RpcError,
+               response: identityAuthStructs.PrivilegedResetUserPasswordStartResponse) => void
+  ): grpcWeb.ClientReadableStream<identityAuthStructs.PrivilegedResetUserPasswordStartResponse>;
+
+  privilegedResetUserPasswordFinish(
+    request: identityAuthStructs.PrivilegedResetUserPasswordFinishRequest,
+    metadata: grpcWeb.Metadata | void,
+    callback: (err: grpcWeb.RpcError,
+               response: identityStructs.Empty) => void
+  ): grpcWeb.ClientReadableStream<identityStructs.Empty>;
+
   getDeviceListForUser(
     request: identityAuthStructs.GetDeviceListRequest,
     metadata: grpcWeb.Metadata | void,
@@ -234,6 +248,16 @@
     metadata?: grpcWeb.Metadata
   ): Promise<identityStructs.Empty>;
 
+  privilegedResetUserPasswordStart(
+    request: identityAuthStructs.PrivilegedResetUserPasswordStartRequest,
+    metadata?: grpcWeb.Metadata
+  ): Promise<identityAuthStructs.PrivilegedResetUserPasswordStartResponse>;
+
+  privilegedResetUserPasswordFinish(
+    request: identityAuthStructs.PrivilegedResetUserPasswordFinishRequest,
+    metadata?: grpcWeb.Metadata
+  ): Promise<identityStructs.Empty>;
+
   getDeviceListForUser(
     request: identityAuthStructs.GetDeviceListRequest,
     metadata?: grpcWeb.Metadata
diff --git a/web/protobufs/identity-auth-structs.cjs b/web/protobufs/identity-auth-structs.cjs
--- a/web/protobufs/identity-auth-structs.cjs
+++ b/web/protobufs/identity-auth-structs.cjs
@@ -44,6 +44,9 @@
 goog.exportSymbol('proto.identity.auth.PlatformDetails', null, global);
 goog.exportSymbol('proto.identity.auth.PrimaryDeviceLogoutRequest', null, global);
 goog.exportSymbol('proto.identity.auth.PrivilegedDeleteUsersRequest', null, global);
+goog.exportSymbol('proto.identity.auth.PrivilegedResetUserPasswordFinishRequest', null, global);
+goog.exportSymbol('proto.identity.auth.PrivilegedResetUserPasswordStartRequest', null, global);
+goog.exportSymbol('proto.identity.auth.PrivilegedResetUserPasswordStartResponse', null, global);
 goog.exportSymbol('proto.identity.auth.RefreshUserPrekeysRequest', null, global);
 goog.exportSymbol('proto.identity.auth.UpdateDeviceListRequest', null, global);
 goog.exportSymbol('proto.identity.auth.UpdateUserPasswordFinishRequest', null, global);
@@ -452,6 +455,69 @@
    */
   proto.identity.auth.PrivilegedDeleteUsersRequest.displayName = 'proto.identity.auth.PrivilegedDeleteUsersRequest';
 }
+/**
+ * Generated by JsPbCodeGenerator.
+ * @param {Array=} opt_data Optional initial data array, typically from a
+ * server response, or constructed directly in Javascript. The array is used
+ * in place and becomes part of the constructed object. It is not cloned.
+ * If no data is provided, the constructed object will be empty, but still
+ * valid.
+ * @extends {jspb.Message}
+ * @constructor
+ */
+proto.identity.auth.PrivilegedResetUserPasswordStartRequest = function(opt_data) {
+  jspb.Message.initialize(this, opt_data, 0, -1, null, null);
+};
+goog.inherits(proto.identity.auth.PrivilegedResetUserPasswordStartRequest, jspb.Message);
+if (goog.DEBUG && !COMPILED) {
+  /**
+   * @public
+   * @override
+   */
+  proto.identity.auth.PrivilegedResetUserPasswordStartRequest.displayName = 'proto.identity.auth.PrivilegedResetUserPasswordStartRequest';
+}
+/**
+ * Generated by JsPbCodeGenerator.
+ * @param {Array=} opt_data Optional initial data array, typically from a
+ * server response, or constructed directly in Javascript. The array is used
+ * in place and becomes part of the constructed object. It is not cloned.
+ * If no data is provided, the constructed object will be empty, but still
+ * valid.
+ * @extends {jspb.Message}
+ * @constructor
+ */
+proto.identity.auth.PrivilegedResetUserPasswordStartResponse = function(opt_data) {
+  jspb.Message.initialize(this, opt_data, 0, -1, null, null);
+};
+goog.inherits(proto.identity.auth.PrivilegedResetUserPasswordStartResponse, jspb.Message);
+if (goog.DEBUG && !COMPILED) {
+  /**
+   * @public
+   * @override
+   */
+  proto.identity.auth.PrivilegedResetUserPasswordStartResponse.displayName = 'proto.identity.auth.PrivilegedResetUserPasswordStartResponse';
+}
+/**
+ * Generated by JsPbCodeGenerator.
+ * @param {Array=} opt_data Optional initial data array, typically from a
+ * server response, or constructed directly in Javascript. The array is used
+ * in place and becomes part of the constructed object. It is not cloned.
+ * If no data is provided, the constructed object will be empty, but still
+ * valid.
+ * @extends {jspb.Message}
+ * @constructor
+ */
+proto.identity.auth.PrivilegedResetUserPasswordFinishRequest = function(opt_data) {
+  jspb.Message.initialize(this, opt_data, 0, -1, null, null);
+};
+goog.inherits(proto.identity.auth.PrivilegedResetUserPasswordFinishRequest, jspb.Message);
+if (goog.DEBUG && !COMPILED) {
+  /**
+   * @public
+   * @override
+   */
+  proto.identity.auth.PrivilegedResetUserPasswordFinishRequest.displayName = 'proto.identity.auth.PrivilegedResetUserPasswordFinishRequest';
+}
 /**
  * Generated by JsPbCodeGenerator.
  * @param {Array=} opt_data Optional initial data array, typically from a
@@ -4417,6 +4483,558 @@
 
 
 
+if (jspb.Message.GENERATE_TO_OBJECT) {
+/**
+ * Creates an object representation of this proto.
+ * Field names that are reserved in JavaScript and will be renamed to pb_name.
+ * Optional fields that are not set will be set to undefined.
+ * To access a reserved field use, foo.pb_<name>, eg, foo.pb_default.
+ * For the list of reserved names please see:
+ *     net/proto2/compiler/js/internal/generator.cc#kKeyword.
+ * @param {boolean=} opt_includeInstance Deprecated. whether to include the
+ *     JSPB instance for transitional soy proto support:
+ *     http://goto/soy-param-migration
+ * @return {!Object}
+ */
+proto.identity.auth.PrivilegedResetUserPasswordStartRequest.prototype.toObject = function(opt_includeInstance) {
+  return proto.identity.auth.PrivilegedResetUserPasswordStartRequest.toObject(opt_includeInstance, this);
+};
+
+
+/**
+ * Static version of the {@see toObject} method.
+ * @param {boolean|undefined} includeInstance Deprecated. Whether to include
+ *     the JSPB instance for transitional soy proto support:
+ *     http://goto/soy-param-migration
+ * @param {!proto.identity.auth.PrivilegedResetUserPasswordStartRequest} msg The msg instance to transform.
+ * @return {!Object}
+ * @suppress {unusedLocalVariables} f is only used for nested messages
+ */
+proto.identity.auth.PrivilegedResetUserPasswordStartRequest.toObject = function(includeInstance, msg) {
+  var f, obj = {
+    opaqueRegistrationRequest: msg.getOpaqueRegistrationRequest_asB64(),
+    username: jspb.Message.getFieldWithDefault(msg, 2, "")
+  };
+
+  if (includeInstance) {
+    obj.$jspbMessageInstance = msg;
+  }
+  return obj;
+};
+}
+
+
+/**
+ * Deserializes binary data (in protobuf wire format).
+ * @param {jspb.ByteSource} bytes The bytes to deserialize.
+ * @return {!proto.identity.auth.PrivilegedResetUserPasswordStartRequest}
+ */
+proto.identity.auth.PrivilegedResetUserPasswordStartRequest.deserializeBinary = function(bytes) {
+  var reader = new jspb.BinaryReader(bytes);
+  var msg = new proto.identity.auth.PrivilegedResetUserPasswordStartRequest;
+  return proto.identity.auth.PrivilegedResetUserPasswordStartRequest.deserializeBinaryFromReader(msg, reader);
+};
+
+
+/**
+ * Deserializes binary data (in protobuf wire format) from the
+ * given reader into the given message object.
+ * @param {!proto.identity.auth.PrivilegedResetUserPasswordStartRequest} msg The message object to deserialize into.
+ * @param {!jspb.BinaryReader} reader The BinaryReader to use.
+ * @return {!proto.identity.auth.PrivilegedResetUserPasswordStartRequest}
+ */
+proto.identity.auth.PrivilegedResetUserPasswordStartRequest.deserializeBinaryFromReader = function(msg, reader) {
+  while (reader.nextField()) {
+    if (reader.isEndGroup()) {
+      break;
+    }
+    var field = reader.getFieldNumber();
+    switch (field) {
+    case 1:
+      var value = /** @type {!Uint8Array} */ (reader.readBytes());
+      msg.setOpaqueRegistrationRequest(value);
+      break;
+    case 2:
+      var value = /** @type {string} */ (reader.readString());
+      msg.setUsername(value);
+      break;
+    default:
+      reader.skipField();
+      break;
+    }
+  }
+  return msg;
+};
+
+
+/**
+ * Serializes the message to binary data (in protobuf wire format).
+ * @return {!Uint8Array}
+ */
+proto.identity.auth.PrivilegedResetUserPasswordStartRequest.prototype.serializeBinary = function() {
+  var writer = new jspb.BinaryWriter();
+  proto.identity.auth.PrivilegedResetUserPasswordStartRequest.serializeBinaryToWriter(this, writer);
+  return writer.getResultBuffer();
+};
+
+
+/**
+ * Serializes the given message to binary data (in protobuf wire
+ * format), writing to the given BinaryWriter.
+ * @param {!proto.identity.auth.PrivilegedResetUserPasswordStartRequest} message
+ * @param {!jspb.BinaryWriter} writer
+ * @suppress {unusedLocalVariables} f is only used for nested messages
+ */
+proto.identity.auth.PrivilegedResetUserPasswordStartRequest.serializeBinaryToWriter = function(message, writer) {
+  var f = undefined;
+  f = message.getOpaqueRegistrationRequest_asU8();
+  if (f.length > 0) {
+    writer.writeBytes(
+      1,
+      f
+    );
+  }
+  f = message.getUsername();
+  if (f.length > 0) {
+    writer.writeString(
+      2,
+      f
+    );
+  }
+};
+
+
+/**
+ * optional bytes opaque_registration_request = 1;
+ * @return {string}
+ */
+proto.identity.auth.PrivilegedResetUserPasswordStartRequest.prototype.getOpaqueRegistrationRequest = function() {
+  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 1, ""));
+};
+
+
+/**
+ * optional bytes opaque_registration_request = 1;
+ * This is a type-conversion wrapper around `getOpaqueRegistrationRequest()`
+ * @return {string}
+ */
+proto.identity.auth.PrivilegedResetUserPasswordStartRequest.prototype.getOpaqueRegistrationRequest_asB64 = function() {
+  return /** @type {string} */ (jspb.Message.bytesAsB64(
+      this.getOpaqueRegistrationRequest()));
+};
+
+
+/**
+ * optional bytes opaque_registration_request = 1;
+ * Note that Uint8Array is not supported on all browsers.
+ * @see http://caniuse.com/Uint8Array
+ * This is a type-conversion wrapper around `getOpaqueRegistrationRequest()`
+ * @return {!Uint8Array}
+ */
+proto.identity.auth.PrivilegedResetUserPasswordStartRequest.prototype.getOpaqueRegistrationRequest_asU8 = function() {
+  return /** @type {!Uint8Array} */ (jspb.Message.bytesAsU8(
+      this.getOpaqueRegistrationRequest()));
+};
+
+
+/**
+ * @param {!(string|Uint8Array)} value
+ * @return {!proto.identity.auth.PrivilegedResetUserPasswordStartRequest} returns this
+ */
+proto.identity.auth.PrivilegedResetUserPasswordStartRequest.prototype.setOpaqueRegistrationRequest = function(value) {
+  return jspb.Message.setProto3BytesField(this, 1, value);
+};
+
+
+/**
+ * optional string username = 2;
+ * @return {string}
+ */
+proto.identity.auth.PrivilegedResetUserPasswordStartRequest.prototype.getUsername = function() {
+  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 2, ""));
+};
+
+
+/**
+ * @param {string} value
+ * @return {!proto.identity.auth.PrivilegedResetUserPasswordStartRequest} returns this
+ */
+proto.identity.auth.PrivilegedResetUserPasswordStartRequest.prototype.setUsername = function(value) {
+  return jspb.Message.setProto3StringField(this, 2, value);
+};
+
+
+
+
+
+if (jspb.Message.GENERATE_TO_OBJECT) {
+/**
+ * Creates an object representation of this proto.
+ * Field names that are reserved in JavaScript and will be renamed to pb_name.
+ * Optional fields that are not set will be set to undefined.
+ * To access a reserved field use, foo.pb_<name>, eg, foo.pb_default.
+ * For the list of reserved names please see:
+ *     net/proto2/compiler/js/internal/generator.cc#kKeyword.
+ * @param {boolean=} opt_includeInstance Deprecated. whether to include the
+ *     JSPB instance for transitional soy proto support:
+ *     http://goto/soy-param-migration
+ * @return {!Object}
+ */
+proto.identity.auth.PrivilegedResetUserPasswordStartResponse.prototype.toObject = function(opt_includeInstance) {
+  return proto.identity.auth.PrivilegedResetUserPasswordStartResponse.toObject(opt_includeInstance, this);
+};
+
+
+/**
+ * Static version of the {@see toObject} method.
+ * @param {boolean|undefined} includeInstance Deprecated. Whether to include
+ *     the JSPB instance for transitional soy proto support:
+ *     http://goto/soy-param-migration
+ * @param {!proto.identity.auth.PrivilegedResetUserPasswordStartResponse} msg The msg instance to transform.
+ * @return {!Object}
+ * @suppress {unusedLocalVariables} f is only used for nested messages
+ */
+proto.identity.auth.PrivilegedResetUserPasswordStartResponse.toObject = function(includeInstance, msg) {
+  var f, obj = {
+    sessionId: jspb.Message.getFieldWithDefault(msg, 1, ""),
+    opaqueRegistrationResponse: msg.getOpaqueRegistrationResponse_asB64()
+  };
+
+  if (includeInstance) {
+    obj.$jspbMessageInstance = msg;
+  }
+  return obj;
+};
+}
+
+
+/**
+ * Deserializes binary data (in protobuf wire format).
+ * @param {jspb.ByteSource} bytes The bytes to deserialize.
+ * @return {!proto.identity.auth.PrivilegedResetUserPasswordStartResponse}
+ */
+proto.identity.auth.PrivilegedResetUserPasswordStartResponse.deserializeBinary = function(bytes) {
+  var reader = new jspb.BinaryReader(bytes);
+  var msg = new proto.identity.auth.PrivilegedResetUserPasswordStartResponse;
+  return proto.identity.auth.PrivilegedResetUserPasswordStartResponse.deserializeBinaryFromReader(msg, reader);
+};
+
+
+/**
+ * Deserializes binary data (in protobuf wire format) from the
+ * given reader into the given message object.
+ * @param {!proto.identity.auth.PrivilegedResetUserPasswordStartResponse} msg The message object to deserialize into.
+ * @param {!jspb.BinaryReader} reader The BinaryReader to use.
+ * @return {!proto.identity.auth.PrivilegedResetUserPasswordStartResponse}
+ */
+proto.identity.auth.PrivilegedResetUserPasswordStartResponse.deserializeBinaryFromReader = function(msg, reader) {
+  while (reader.nextField()) {
+    if (reader.isEndGroup()) {
+      break;
+    }
+    var field = reader.getFieldNumber();
+    switch (field) {
+    case 1:
+      var value = /** @type {string} */ (reader.readString());
+      msg.setSessionId(value);
+      break;
+    case 2:
+      var value = /** @type {!Uint8Array} */ (reader.readBytes());
+      msg.setOpaqueRegistrationResponse(value);
+      break;
+    default:
+      reader.skipField();
+      break;
+    }
+  }
+  return msg;
+};
+
+
+/**
+ * Serializes the message to binary data (in protobuf wire format).
+ * @return {!Uint8Array}
+ */
+proto.identity.auth.PrivilegedResetUserPasswordStartResponse.prototype.serializeBinary = function() {
+  var writer = new jspb.BinaryWriter();
+  proto.identity.auth.PrivilegedResetUserPasswordStartResponse.serializeBinaryToWriter(this, writer);
+  return writer.getResultBuffer();
+};
+
+
+/**
+ * Serializes the given message to binary data (in protobuf wire
+ * format), writing to the given BinaryWriter.
+ * @param {!proto.identity.auth.PrivilegedResetUserPasswordStartResponse} message
+ * @param {!jspb.BinaryWriter} writer
+ * @suppress {unusedLocalVariables} f is only used for nested messages
+ */
+proto.identity.auth.PrivilegedResetUserPasswordStartResponse.serializeBinaryToWriter = function(message, writer) {
+  var f = undefined;
+  f = message.getSessionId();
+  if (f.length > 0) {
+    writer.writeString(
+      1,
+      f
+    );
+  }
+  f = message.getOpaqueRegistrationResponse_asU8();
+  if (f.length > 0) {
+    writer.writeBytes(
+      2,
+      f
+    );
+  }
+};
+
+
+/**
+ * optional string session_id = 1;
+ * @return {string}
+ */
+proto.identity.auth.PrivilegedResetUserPasswordStartResponse.prototype.getSessionId = function() {
+  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 1, ""));
+};
+
+
+/**
+ * @param {string} value
+ * @return {!proto.identity.auth.PrivilegedResetUserPasswordStartResponse} returns this
+ */
+proto.identity.auth.PrivilegedResetUserPasswordStartResponse.prototype.setSessionId = function(value) {
+  return jspb.Message.setProto3StringField(this, 1, value);
+};
+
+
+/**
+ * optional bytes opaque_registration_response = 2;
+ * @return {string}
+ */
+proto.identity.auth.PrivilegedResetUserPasswordStartResponse.prototype.getOpaqueRegistrationResponse = function() {
+  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 2, ""));
+};
+
+
+/**
+ * optional bytes opaque_registration_response = 2;
+ * This is a type-conversion wrapper around `getOpaqueRegistrationResponse()`
+ * @return {string}
+ */
+proto.identity.auth.PrivilegedResetUserPasswordStartResponse.prototype.getOpaqueRegistrationResponse_asB64 = function() {
+  return /** @type {string} */ (jspb.Message.bytesAsB64(
+      this.getOpaqueRegistrationResponse()));
+};
+
+
+/**
+ * optional bytes opaque_registration_response = 2;
+ * Note that Uint8Array is not supported on all browsers.
+ * @see http://caniuse.com/Uint8Array
+ * This is a type-conversion wrapper around `getOpaqueRegistrationResponse()`
+ * @return {!Uint8Array}
+ */
+proto.identity.auth.PrivilegedResetUserPasswordStartResponse.prototype.getOpaqueRegistrationResponse_asU8 = function() {
+  return /** @type {!Uint8Array} */ (jspb.Message.bytesAsU8(
+      this.getOpaqueRegistrationResponse()));
+};
+
+
+/**
+ * @param {!(string|Uint8Array)} value
+ * @return {!proto.identity.auth.PrivilegedResetUserPasswordStartResponse} returns this
+ */
+proto.identity.auth.PrivilegedResetUserPasswordStartResponse.prototype.setOpaqueRegistrationResponse = function(value) {
+  return jspb.Message.setProto3BytesField(this, 2, value);
+};
+
+
+
+
+
+if (jspb.Message.GENERATE_TO_OBJECT) {
+/**
+ * Creates an object representation of this proto.
+ * Field names that are reserved in JavaScript and will be renamed to pb_name.
+ * Optional fields that are not set will be set to undefined.
+ * To access a reserved field use, foo.pb_<name>, eg, foo.pb_default.
+ * For the list of reserved names please see:
+ *     net/proto2/compiler/js/internal/generator.cc#kKeyword.
+ * @param {boolean=} opt_includeInstance Deprecated. whether to include the
+ *     JSPB instance for transitional soy proto support:
+ *     http://goto/soy-param-migration
+ * @return {!Object}
+ */
+proto.identity.auth.PrivilegedResetUserPasswordFinishRequest.prototype.toObject = function(opt_includeInstance) {
+  return proto.identity.auth.PrivilegedResetUserPasswordFinishRequest.toObject(opt_includeInstance, this);
+};
+
+
+/**
+ * Static version of the {@see toObject} method.
+ * @param {boolean|undefined} includeInstance Deprecated. Whether to include
+ *     the JSPB instance for transitional soy proto support:
+ *     http://goto/soy-param-migration
+ * @param {!proto.identity.auth.PrivilegedResetUserPasswordFinishRequest} msg The msg instance to transform.
+ * @return {!Object}
+ * @suppress {unusedLocalVariables} f is only used for nested messages
+ */
+proto.identity.auth.PrivilegedResetUserPasswordFinishRequest.toObject = function(includeInstance, msg) {
+  var f, obj = {
+    sessionId: jspb.Message.getFieldWithDefault(msg, 1, ""),
+    opaqueRegistrationUpload: msg.getOpaqueRegistrationUpload_asB64()
+  };
+
+  if (includeInstance) {
+    obj.$jspbMessageInstance = msg;
+  }
+  return obj;
+};
+}
+
+
+/**
+ * Deserializes binary data (in protobuf wire format).
+ * @param {jspb.ByteSource} bytes The bytes to deserialize.
+ * @return {!proto.identity.auth.PrivilegedResetUserPasswordFinishRequest}
+ */
+proto.identity.auth.PrivilegedResetUserPasswordFinishRequest.deserializeBinary = function(bytes) {
+  var reader = new jspb.BinaryReader(bytes);
+  var msg = new proto.identity.auth.PrivilegedResetUserPasswordFinishRequest;
+  return proto.identity.auth.PrivilegedResetUserPasswordFinishRequest.deserializeBinaryFromReader(msg, reader);
+};
+
+
+/**
+ * Deserializes binary data (in protobuf wire format) from the
+ * given reader into the given message object.
+ * @param {!proto.identity.auth.PrivilegedResetUserPasswordFinishRequest} msg The message object to deserialize into.
+ * @param {!jspb.BinaryReader} reader The BinaryReader to use.
+ * @return {!proto.identity.auth.PrivilegedResetUserPasswordFinishRequest}
+ */
+proto.identity.auth.PrivilegedResetUserPasswordFinishRequest.deserializeBinaryFromReader = function(msg, reader) {
+  while (reader.nextField()) {
+    if (reader.isEndGroup()) {
+      break;
+    }
+    var field = reader.getFieldNumber();
+    switch (field) {
+    case 1:
+      var value = /** @type {string} */ (reader.readString());
+      msg.setSessionId(value);
+      break;
+    case 2:
+      var value = /** @type {!Uint8Array} */ (reader.readBytes());
+      msg.setOpaqueRegistrationUpload(value);
+      break;
+    default:
+      reader.skipField();
+      break;
+    }
+  }
+  return msg;
+};
+
+
+/**
+ * Serializes the message to binary data (in protobuf wire format).
+ * @return {!Uint8Array}
+ */
+proto.identity.auth.PrivilegedResetUserPasswordFinishRequest.prototype.serializeBinary = function() {
+  var writer = new jspb.BinaryWriter();
+  proto.identity.auth.PrivilegedResetUserPasswordFinishRequest.serializeBinaryToWriter(this, writer);
+  return writer.getResultBuffer();
+};
+
+
+/**
+ * Serializes the given message to binary data (in protobuf wire
+ * format), writing to the given BinaryWriter.
+ * @param {!proto.identity.auth.PrivilegedResetUserPasswordFinishRequest} message
+ * @param {!jspb.BinaryWriter} writer
+ * @suppress {unusedLocalVariables} f is only used for nested messages
+ */
+proto.identity.auth.PrivilegedResetUserPasswordFinishRequest.serializeBinaryToWriter = function(message, writer) {
+  var f = undefined;
+  f = message.getSessionId();
+  if (f.length > 0) {
+    writer.writeString(
+      1,
+      f
+    );
+  }
+  f = message.getOpaqueRegistrationUpload_asU8();
+  if (f.length > 0) {
+    writer.writeBytes(
+      2,
+      f
+    );
+  }
+};
+
+
+/**
+ * optional string session_id = 1;
+ * @return {string}
+ */
+proto.identity.auth.PrivilegedResetUserPasswordFinishRequest.prototype.getSessionId = function() {
+  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 1, ""));
+};
+
+
+/**
+ * @param {string} value
+ * @return {!proto.identity.auth.PrivilegedResetUserPasswordFinishRequest} returns this
+ */
+proto.identity.auth.PrivilegedResetUserPasswordFinishRequest.prototype.setSessionId = function(value) {
+  return jspb.Message.setProto3StringField(this, 1, value);
+};
+
+
+/**
+ * optional bytes opaque_registration_upload = 2;
+ * @return {string}
+ */
+proto.identity.auth.PrivilegedResetUserPasswordFinishRequest.prototype.getOpaqueRegistrationUpload = function() {
+  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 2, ""));
+};
+
+
+/**
+ * optional bytes opaque_registration_upload = 2;
+ * This is a type-conversion wrapper around `getOpaqueRegistrationUpload()`
+ * @return {string}
+ */
+proto.identity.auth.PrivilegedResetUserPasswordFinishRequest.prototype.getOpaqueRegistrationUpload_asB64 = function() {
+  return /** @type {string} */ (jspb.Message.bytesAsB64(
+      this.getOpaqueRegistrationUpload()));
+};
+
+
+/**
+ * optional bytes opaque_registration_upload = 2;
+ * Note that Uint8Array is not supported on all browsers.
+ * @see http://caniuse.com/Uint8Array
+ * This is a type-conversion wrapper around `getOpaqueRegistrationUpload()`
+ * @return {!Uint8Array}
+ */
+proto.identity.auth.PrivilegedResetUserPasswordFinishRequest.prototype.getOpaqueRegistrationUpload_asU8 = function() {
+  return /** @type {!Uint8Array} */ (jspb.Message.bytesAsU8(
+      this.getOpaqueRegistrationUpload()));
+};
+
+
+/**
+ * @param {!(string|Uint8Array)} value
+ * @return {!proto.identity.auth.PrivilegedResetUserPasswordFinishRequest} returns this
+ */
+proto.identity.auth.PrivilegedResetUserPasswordFinishRequest.prototype.setOpaqueRegistrationUpload = function(value) {
+  return jspb.Message.setProto3BytesField(this, 2, value);
+};
+
+
+
+
+
 if (jspb.Message.GENERATE_TO_OBJECT) {
 /**
  * Creates an object representation of this proto.
diff --git a/web/protobufs/identity-auth-structs.cjs.flow b/web/protobufs/identity-auth-structs.cjs.flow
--- a/web/protobufs/identity-auth-structs.cjs.flow
+++ b/web/protobufs/identity-auth-structs.cjs.flow
@@ -457,6 +457,72 @@
   userIdsList: Array<string>,
 }
 
+declare export class PrivilegedResetUserPasswordStartRequest extends Message {
+  getOpaqueRegistrationRequest(): Uint8Array | string;
+  getOpaqueRegistrationRequest_asU8(): Uint8Array;
+  getOpaqueRegistrationRequest_asB64(): string;
+  setOpaqueRegistrationRequest(value: Uint8Array | string): PrivilegedResetUserPasswordStartRequest;
+
+  getUsername(): string;
+  setUsername(value: string): PrivilegedResetUserPasswordStartRequest;
+
+  serializeBinary(): Uint8Array;
+  toObject(includeInstance?: boolean): PrivilegedResetUserPasswordStartRequestObject;
+  static toObject(includeInstance: boolean, msg: PrivilegedResetUserPasswordStartRequest): PrivilegedResetUserPasswordStartRequestObject;
+  static serializeBinaryToWriter(message: PrivilegedResetUserPasswordStartRequest, writer: BinaryWriter): void;
+  static deserializeBinary(bytes: Uint8Array): PrivilegedResetUserPasswordStartRequest;
+  static deserializeBinaryFromReader(message: PrivilegedResetUserPasswordStartRequest, reader: BinaryReader): PrivilegedResetUserPasswordStartRequest;
+}
+
+export type PrivilegedResetUserPasswordStartRequestObject = {
+  opaqueRegistrationRequest: Uint8Array | string,
+  username: string,
+}
+
+declare export class PrivilegedResetUserPasswordStartResponse extends Message {
+  getSessionId(): string;
+  setSessionId(value: string): PrivilegedResetUserPasswordStartResponse;
+
+  getOpaqueRegistrationResponse(): Uint8Array | string;
+  getOpaqueRegistrationResponse_asU8(): Uint8Array;
+  getOpaqueRegistrationResponse_asB64(): string;
+  setOpaqueRegistrationResponse(value: Uint8Array | string): PrivilegedResetUserPasswordStartResponse;
+
+  serializeBinary(): Uint8Array;
+  toObject(includeInstance?: boolean): PrivilegedResetUserPasswordStartResponseObject;
+  static toObject(includeInstance: boolean, msg: PrivilegedResetUserPasswordStartResponse): PrivilegedResetUserPasswordStartResponseObject;
+  static serializeBinaryToWriter(message: PrivilegedResetUserPasswordStartResponse, writer: BinaryWriter): void;
+  static deserializeBinary(bytes: Uint8Array): PrivilegedResetUserPasswordStartResponse;
+  static deserializeBinaryFromReader(message: PrivilegedResetUserPasswordStartResponse, reader: BinaryReader): PrivilegedResetUserPasswordStartResponse;
+}
+
+export type PrivilegedResetUserPasswordStartResponseObject = {
+  sessionId: string,
+  opaqueRegistrationResponse: Uint8Array | string,
+}
+
+declare export class PrivilegedResetUserPasswordFinishRequest extends Message {
+  getSessionId(): string;
+  setSessionId(value: string): PrivilegedResetUserPasswordFinishRequest;
+
+  getOpaqueRegistrationUpload(): Uint8Array | string;
+  getOpaqueRegistrationUpload_asU8(): Uint8Array;
+  getOpaqueRegistrationUpload_asB64(): string;
+  setOpaqueRegistrationUpload(value: Uint8Array | string): PrivilegedResetUserPasswordFinishRequest;
+
+  serializeBinary(): Uint8Array;
+  toObject(includeInstance?: boolean): PrivilegedResetUserPasswordFinishRequestObject;
+  static toObject(includeInstance: boolean, msg: PrivilegedResetUserPasswordFinishRequest): PrivilegedResetUserPasswordFinishRequestObject;
+  static serializeBinaryToWriter(message: PrivilegedResetUserPasswordFinishRequest, writer: BinaryWriter): void;
+  static deserializeBinary(bytes: Uint8Array): PrivilegedResetUserPasswordFinishRequest;
+  static deserializeBinaryFromReader(message: PrivilegedResetUserPasswordFinishRequest, reader: BinaryReader): PrivilegedResetUserPasswordFinishRequest;
+}
+
+export type PrivilegedResetUserPasswordFinishRequestObject = {
+  sessionId: string,
+  opaqueRegistrationUpload: Uint8Array | string,
+}
+
 export type SinceTimestampCase = 0 | 2;
 
 declare export class GetDeviceListRequest extends Message {