Gitlab update, 2FA now mandatory

Ben Cooksley bcooksley at kde.org
Sun Oct 23 23:45:18 BST 2022 

On Mon, Oct 24, 2022 at 3:36 AM Kevin Kofler <kevin.kofler at chello.at> wrote:

> Hi,
>

Hi Kevin,


>
> Ben Cooksley wrote:
> > As part of securing Invent against recently detected suspicious activity
>
> What kind of suspicious activity would that be? Yesterday, Invent even
> considered it "suspicious" enough to send a warning e-mail that my semi-
> static IP address (TV-cable broadband ISP) has changed after several
> months.
> Dynamic IP addresses are not exactly unusual.
>

It was likely just flagging that you were logging in from a different IP
address to your usual address.
For most people the set of addresses they will be logging in from won't
change much (given that the vast majority of people use always-on internet
connections now, which means IP addresses - even if theoretically dynamic -
are in practice fairly static).

The suspicious activity is not related to static/dynamic IP addresses, and
as it is an ongoing matter i'd prefer not to comment until it is
satisfactorily resolved.


>
> > I have also enabled Mandatory 2FA, which Gitlab will ask you to configure
> > next time you access it.
>
> IMHO, this is both an absolutely unacceptable barrier to entry and a
> constant annoyance each time one has to log in.
>

You shouldn't have any issues with remaining logged in as long as your
browser remains open.

If this is not the behaviour you are seeing then please check the browser
addons/extensions you are using as these can often break functionality in
unexpected ways.
This is especially when they claim to offer benefits relating to privacy or
security (the EFF's HTTPS Everywhere extension several years back broke
links for some KDE sites by completely changing the subdomain)


>
> > This can be done using either a Webauthn token (such as a Yubikey) or
> TOTP
> > (using the app of choice on your phone)
>
> What am I expected to use with my PinePhone? Does
> https://apps.kde.org/keysmith/ work?
>

Please see the other responses to this thread.

I did not supply a list of applications that people should be using as
there is a diverse range of devices and appstore ecosystems in use by
different people, and I don't have access to hardware such as a PinePhone
to validate any of that.


>
> And how do you intend to prevent users from running the TOTP app on the
> same
> device as the web browser (both on the smartphone or even both on the
> desktop/notebook)? You just cannot. (As far as I know, even Yubikeys can
> be
> emulated in software.) Two-factor is a farce.


>         Kevin Kofler
>

Regards,
Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20221024/e20ca20c/attachment.htm>

More information about the kde-core-devel mailing list