Gitlab update, 2FA now mandatory

Carl Schwan carl at carlschwan.eu
Tue Oct 25 11:11:46 BST 2022


Le dimanche 23 octobre 2022 à 5:55 PM, Christoph Cullmann (cullmann.io) <christoph at cullmann.io> a écrit :


> On 2022-10-23 08:32, Ben Cooksley wrote:
> 
> > Hi all,
> > 
> > This afternoon I updated invent.kde.org [1] to the latest version of
> > Gitlab, 15.5.
> > Release notes for this can be found at
> > https://about.gitlab.com/releases/2022/10/22/gitlab-15-5-released/
> > 
> > There isn't much notable feature wise in this release, however there
> > have been some bug fixes surrounding the "Rebase without Pipeline"
> > functionality that was introduced in an earlier update.
> > 
> > As part of securing Invent against recently detected suspicious
> > activity I have also enabled Mandatory 2FA, which Gitlab will ask you
> > to configure next time you access it. This can be done using either a
> > Webauthn token (such as a Yubikey) or TOTP (using the app of choice on
> > your phone)
> > 
> > Should you lose access to your 2FA device you can obtain a recovery
> > token to log back in via SSH, see
> > https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html#generate-new-recovery-codes-using-ssh
> > for more details on this.
> > 
> > Please let us know if there are any queries on the above.
> 
> 
> Hi,
> 
> whereas I can see the security benefit, this raises the hurdle for one
> time
> contributors again a lot.
> 
> Before you already had to register to get your merge request,
> now you need to setup this too (or at least soon it is mandatory).
> 
> I am not sure this is such a good thing.
> 
> I see a point that one wants to avoid that e.g. somebody steals my
> account
> that has enough rights to delete all branches in the Kate repository via
> the
> web frontend.
> 
> Could the 2FA stuff perhaps be limited to people with developer role or
> such?

Yes this would be ideal. We don't need to require 2fa for people who just
started contributing or want to give some feedback on a MR/ticket.

This should be possible with the following features:
https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforce-2fa-for-all-users-in-a-group

We can just require 2fa for developers because with great powers come great
responsibilities.

Cheers,
Carl

> 
> Greetings
> Christoph
> 
> > Thanks,
> > Ben
> > 
> > Links:
> > ------
> > [1] http://invent.kde.org
> 
> 
> --
> Ignorance is bliss...
> https://cullmann.io | https://kate-editor.org


More information about the kde-community mailing list