Gitlab update, 2FA now mandatory

Kevin Kofler kevin.kofler at
Sun Oct 23 15:36:19 BST 2022


Ben Cooksley wrote:
> As part of securing Invent against recently detected suspicious activity 

What kind of suspicious activity would that be? Yesterday, Invent even 
considered it "suspicious" enough to send a warning e-mail that my semi-
static IP address (TV-cable broadband ISP) has changed after several months. 
Dynamic IP addresses are not exactly unusual.

> I have also enabled Mandatory 2FA, which Gitlab will ask you to configure
> next time you access it.

IMHO, this is both an absolutely unacceptable barrier to entry and a 
constant annoyance each time one has to log in.

> This can be done using either a Webauthn token (such as a Yubikey) or TOTP 
> (using the app of choice on your phone)

What am I expected to use with my PinePhone? Does work?

And how do you intend to prevent users from running the TOTP app on the same 
device as the web browser (both on the smartphone or even both on the 
desktop/notebook)? You just cannot. (As far as I know, even Yubikeys can be 
emulated in software.) Two-factor is a farce.

        Kevin Kofler

More information about the kde-core-devel mailing list