Gitlab update, 2FA now mandatory
Kevin Kofler
kevin.kofler at chello.at
Sun Oct 23 15:36:19 BST 2022
Hi,
Ben Cooksley wrote:
> As part of securing Invent against recently detected suspicious activity
What kind of suspicious activity would that be? Yesterday, Invent even
considered it "suspicious" enough to send a warning e-mail that my semi-
static IP address (TV-cable broadband ISP) has changed after several months.
Dynamic IP addresses are not exactly unusual.
> I have also enabled Mandatory 2FA, which Gitlab will ask you to configure
> next time you access it.
IMHO, this is both an absolutely unacceptable barrier to entry and a
constant annoyance each time one has to log in.
> This can be done using either a Webauthn token (such as a Yubikey) or TOTP
> (using the app of choice on your phone)
What am I expected to use with my PinePhone? Does
https://apps.kde.org/keysmith/ work?
And how do you intend to prevent users from running the TOTP app on the same
device as the web browser (both on the smartphone or even both on the
desktop/notebook)? You just cannot. (As far as I know, even Yubikeys can be
emulated in software.) Two-factor is a farce.
Kevin Kofler
More information about the kde-core-devel
mailing list