diff --git a/keyserver/addons/rust-node-addon/src/identity_client/privileged_reset_user_password.rs b/keyserver/addons/rust-node-addon/src/identity_client/privileged_reset_user_password.rs
--- a/keyserver/addons/rust-node-addon/src/identity_client/privileged_reset_user_password.rs
+++ b/keyserver/addons/rust-node-addon/src/identity_client/privileged_reset_user_password.rs
@@ -26,6 +26,7 @@
     PrivilegedResetUserPasswordStartRequest {
       opaque_registration_request,
       username,
+      skip_password_reset: false,
     };
 
   let response = identity_client
diff --git a/shared/protos/identity_auth.proto b/shared/protos/identity_auth.proto
--- a/shared/protos/identity_auth.proto
+++ b/shared/protos/identity_auth.proto
@@ -264,6 +264,8 @@
   // Initiate PAKE registration with new password
   bytes opaque_registration_request = 1;
   string username = 2;
+  // when true, user is reset to unsigned device list without password change
+  bool skip_password_reset = 3;
 }
 
 message PrivilegedResetUserPasswordStartResponse {
diff --git a/web/protobufs/identity-auth-structs.cjs b/web/protobufs/identity-auth-structs.cjs
--- a/web/protobufs/identity-auth-structs.cjs
+++ b/web/protobufs/identity-auth-structs.cjs
@@ -4513,7 +4513,8 @@
 proto.identity.auth.PrivilegedResetUserPasswordStartRequest.toObject = function(includeInstance, msg) {
   var f, obj = {
     opaqueRegistrationRequest: msg.getOpaqueRegistrationRequest_asB64(),
-    username: jspb.Message.getFieldWithDefault(msg, 2, "")
+    username: jspb.Message.getFieldWithDefault(msg, 2, ""),
+    skipPasswordReset: jspb.Message.getBooleanFieldWithDefault(msg, 3, false)
   };
 
   if (includeInstance) {
@@ -4558,6 +4559,10 @@
       var value = /** @type {string} */ (reader.readString());
       msg.setUsername(value);
       break;
+    case 3:
+      var value = /** @type {boolean} */ (reader.readBool());
+      msg.setSkipPasswordReset(value);
+      break;
     default:
       reader.skipField();
       break;
@@ -4601,6 +4606,13 @@
       f
     );
   }
+  f = message.getSkipPasswordReset();
+  if (f) {
+    writer.writeBool(
+      3,
+      f
+    );
+  }
 };
 
 
@@ -4664,6 +4676,24 @@
 };
 
 
+/**
+ * optional bool skip_password_reset = 3;
+ * @return {boolean}
+ */
+proto.identity.auth.PrivilegedResetUserPasswordStartRequest.prototype.getSkipPasswordReset = function() {
+  return /** @type {boolean} */ (jspb.Message.getBooleanFieldWithDefault(this, 3, false));
+};
+
+
+/**
+ * @param {boolean} value
+ * @return {!proto.identity.auth.PrivilegedResetUserPasswordStartRequest} returns this
+ */
+proto.identity.auth.PrivilegedResetUserPasswordStartRequest.prototype.setSkipPasswordReset = function(value) {
+  return jspb.Message.setProto3BooleanField(this, 3, value);
+};
+
+
 
 
 
diff --git a/web/protobufs/identity-auth-structs.cjs.flow b/web/protobufs/identity-auth-structs.cjs.flow
--- a/web/protobufs/identity-auth-structs.cjs.flow
+++ b/web/protobufs/identity-auth-structs.cjs.flow
@@ -466,6 +466,9 @@
   getUsername(): string;
   setUsername(value: string): PrivilegedResetUserPasswordStartRequest;
 
+  getSkipPasswordReset(): boolean;
+  setSkipPasswordReset(value: boolean): PrivilegedResetUserPasswordStartRequest;
+
   serializeBinary(): Uint8Array;
   toObject(includeInstance?: boolean): PrivilegedResetUserPasswordStartRequestObject;
   static toObject(includeInstance: boolean, msg: PrivilegedResetUserPasswordStartRequest): PrivilegedResetUserPasswordStartRequestObject;
@@ -477,6 +480,7 @@
 export type PrivilegedResetUserPasswordStartRequestObject = {
   opaqueRegistrationRequest: Uint8Array | string,
   username: string,
+  skipPasswordReset: boolean,
 }
 
 declare export class PrivilegedResetUserPasswordStartResponse extends Message {