Gitlab update, 2FA now mandatory

[Ben Cooksley]

On Mon, Oct 24, 2022 at 12:37 PM Kevin Kofler <kevin.kofler at chello.at>
wrote:

> Ben Cooksley wrote:
> > On Mon, Oct 24, 2022 at 3:36 AM Kevin Kofler <kevin.kofler at chello.at>
> > wrote:
> >> IMHO, this is both an absolutely unacceptable barrier to entry and a
> >> constant annoyance each time one has to log in.
> >
> > You shouldn't have any issues with remaining logged in as long as your
> > browser remains open.
>
> I wrote "each time one has to log in", not "remaining logged in".
>
> I sure hope that I just have to jump through the 2FA hoops only once per
> log
> in and not several times. But that is still one time too many.
>
> And "as long as your browser remains open" is at most one day. I turn the
> computer off while I sleep. So if this change forces me to log in each
> time
> I restart the browser, and hence at least each time I restart the computer
> (which is currently *not* the case, I can remain logged in for days
> throughout hundreds of browser sessions), that would mean going through
> the
> 2FA procedure at least every day.
>

The 2FA prompt (for normal users) is only applied on login yes.
Note that I can't examine your experience exactly as admins get prompted to
reauthenticate more frequently, especially when undertaking sensitive
actions.

See https://gitlab.com/gitlab-org/gitlab/-/issues/16656 for more
surrounding 2FA on each login.

With respect to logins being remembered, I have just performed a test using
a vanilla version of Firefox as shipped by OpenSUSE.
Logging into invent.kde.org (with the "Remember me" box ticked), completing
2FA authentication, performing a few actions and then closing the browser
followed by reopening it a few moments later led to the result I expected -
that I was still logged into Gitlab.


> > I did not supply a list of applications that people should be using as
> > there is a diverse range of devices and appstore ecosystems in use by
> > different people, and I don't have access to hardware such as a PinePhone
> > to validate any of that.
>
> So you are single-handedly forcing a new requirement on everyone, but are
> not willing to help us in any way with it, even just by telling us how to
> fulfill it. That is very unhelpful.
>

I could have provided links to a few applications.
They wouldn't have suited everyone though, so I opted not to do so on the
basis that there are dozens of apps that support handling TOTP.


>
> And you conveniently evaded my main questions:
> * why such a change can be decided by one person suddenly on a Sunday
> morning, with no warning (well, the software "gracefully" gives us 2 days
> to
> comply… only two days!), let alone (transparent) discussion.
>

As mentioned in my initial email - securing us against suspicious activity
that has been detected.
This is also why there was no discussion in advance.

One of the responsibilities that Sysadmin is charged with is ensuring our
data is protected and kept safe.
That is exactly what I am doing - using industry standard best practices.


> * what the point of two-factor is at all considering that you have no way
> to
> prevent the developer from storing the password and the OTP generator on
> the
> same device.
>

** Caution - a strawman argument has been detected **

The point of 2FA is to prevent stolen credentials from being misused by an
attacker.
If your device is compromised, 2FA isn't going to stop anything because
they can just wait (or otherwise prompt) for you to login to the site and
steal your session to do whatever it is they want to do.


>
> In short, the 2FA requirement is unacceptable and needs to be disabled
> immediately.
>

On that we disagree fundamentally.

Regards,
Ben


>
>         Kevin Kofler
>
> PS/OT:
>
> > For most people the set of addresses they will be logging in from won't
> > change much (given that the vast majority of people use always-on
> internet
> > connections now, which means IP addresses - even if theoretically dynamic
> > - are in practice fairly static).
>
> "fairly static" does not mean it never changes, as in my case. But we need
> not discuss this tangent any further. The mandatory 2FA nonsense is the
> real
> issue, let us please focus on that.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20221024/c7b996fe/attachment.htm>