Gitlab update, 2FA now mandatory

Tue Oct 25 07:29:27 BST 2022

Hi,

making assumptions or generalising a group of people will always "forget" about some people.

What about translators? Are they all as "techy" as you imagine all our devs are? (Spoiler: no they aren't)
What about older contributors (like me)? Are they all as up-to-date with emerging technologies as you think they are? Maybe not.

I do have 2FA at work. It's a hardware token with a "put the number in this field" workflow. I did not have to set that up, I just use it.
My bank uses a very special kind of 2FA which I just recently recognised as such. Meaning, I cannot use my bank's 2FA technology for anything else so it feels like a different tech.
Otherwise I did not yet have had the need for 2FA in my private life. I despise having accounts, so I do not use Paypal, Google, Amazon, Microsoft, Facebook or any other of the "common" accounts and do my online shopping as guest to not bother with login stuff there either.

So now for the KDE login I had to set up 2FA for the first time and it involved some confusion. I managed to set up KeePassXC with TOTP now but not without a close call in ruining my tax authority account credentials in the process becausecitvwas not clear to me at first that the Set up TOTP menu entry worked on one of the existing entries rather than enabling a separate way of adding accounts.

Speaking of taxes. In my country it's the last week for handing in tax reports, so I might have decided that my mind currently does not have enough free capacity to bother with keeping my KDE account working. The time span to handle this situation seems rather tight to me.

Anyway, while I see good reasoning behind the decision to use 2FA, I think it wasn't handled in a very good way. It would have been good to have more time for the change and also offer more support for people completely new to 2FA. Throwing in names of apps alone is not enough. Not everyone has time to spend an evening investigating those apps and then set one (or several) up just to realise it uses different terminology than gitlab (key vs secret key, pin vs password etc) which makes setting it up a fun little guessing game with quite some shrugging.

Please do not surprise a diverse group of people with different techy backgrounds, different age and different levels of smartness (meaning: eagerness to dig into new topics asap) with making something mandatory just because you and everyone you know are familiar with that particular tech anyway.

On a side not, I have decided to use this as an opportinity to set up 2FA for more of the few accounts I have and I also bought two Yubikeys to play around with those as well ... But I do not assume, everybody appreciates that kind of opportinities.

Cheers
Frederik

On 25 October 2022 05:39:32 CEST, Victoria Fierce <tdfischer at hackerbots.net> wrote:
>I would like to think that anyone who either knows /enough/ about KDE that they want to contribute or has used basically any other internet service before coming to KDE is already familiar with 2FA that it won't be a problem for them. Our users are smart, our devs are also (often) smart, everyone involved is probably smarter and more capable than we would imagine. If KDE contributions decline for any reason, I don't think it would be for technical ones. My bank needs 2FA, my paypal needs 2FA, my work needs lordt-knows-how-much 2FA, heck even when I'm using Matrix I need to do some kind of 2FA-ish dance to verify the login and distribute crypto keys.
>
>On Mon, Oct 24, 2022, at 9:19 AM, Christoph Cullmann (cullmann.io) wrote:
>> Hi,
>>
>>>> Could the 2FA stuff perhaps be limited to people with developer role
>>>> or
>>>> such?
>>> 
>>> It is technically possible to only apply the mandatory 2FA rules to
>>> only certain groups as Developer accounts are simply membership in
>>> teams/kde-developers.
>>> See
>>> https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforce-2fa-for-all-users-in-a-group
>>> for the documentation on this.
>>> 
>>> Given that we are using Invent for authenticating our various other
>>> services and the users of those aren't necessarily developers (while
>>> still having access to sensitive information) it seemed more prudent
>>> to enforce 2FA for everyone to ensure all our systems have a minimum
>>> baseline of industry best practice protection in place.
>>> 
>>> This also avoids any issue when people are granted a developer account
>>> and suddenly find themselves subject to a new requirement.
>>
>> I think it is rather worse that now first time contributors have this 
>> requirement.
>>
>> A lot of people already complain "why can I not just use my GitHub 
>> account',
>> now they need to setup this in addition.
>>
>> And yes, beside for invent.kde.org, I never needed to use my Google Auth
>> App beside for some hosting.
>>
>> All other things I use that have 2FA use different methods that don't 
>> need
>> any such app on my phone.
>>
>> Therefore that is more then just 2 clicks for a lot of people.
>>
>> Greetings
>> Christoph
>>
>> -- 
>> Ignorance is bliss...
>> https://cullmann.io | https://kate-editor.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-community/attachments/20221025/6cf7d68d/attachment-0001.htm>