Gitlab update, 2FA now mandatory

Kevin Kofler kevin.kofler at
Mon Oct 24 00:37:23 BST 2022

Ben Cooksley wrote:
> On Mon, Oct 24, 2022 at 3:36 AM Kevin Kofler <kevin.kofler at>
> wrote:
>> IMHO, this is both an absolutely unacceptable barrier to entry and a
>> constant annoyance each time one has to log in.
> You shouldn't have any issues with remaining logged in as long as your
> browser remains open.

I wrote "each time one has to log in", not "remaining logged in".

I sure hope that I just have to jump through the 2FA hoops only once per log 
in and not several times. But that is still one time too many.

And "as long as your browser remains open" is at most one day. I turn the 
computer off while I sleep. So if this change forces me to log in each time 
I restart the browser, and hence at least each time I restart the computer 
(which is currently *not* the case, I can remain logged in for days 
throughout hundreds of browser sessions), that would mean going through the 
2FA procedure at least every day.

> I did not supply a list of applications that people should be using as
> there is a diverse range of devices and appstore ecosystems in use by
> different people, and I don't have access to hardware such as a PinePhone
> to validate any of that.

So you are single-handedly forcing a new requirement on everyone, but are 
not willing to help us in any way with it, even just by telling us how to 
fulfill it. That is very unhelpful.

And you conveniently evaded my main questions:
* why such a change can be decided by one person suddenly on a Sunday 
morning, with no warning (well, the software "gracefully" gives us 2 days to 
comply… only two days!), let alone (transparent) discussion.
* what the point of two-factor is at all considering that you have no way to 
prevent the developer from storing the password and the OTP generator on the 
same device.

In short, the 2FA requirement is unacceptable and needs to be disabled 

        Kevin Kofler


> For most people the set of addresses they will be logging in from won't
> change much (given that the vast majority of people use always-on internet
> connections now, which means IP addresses - even if theoretically dynamic
> - are in practice fairly static).

"fairly static" does not mean it never changes, as in my case. But we need 
not discuss this tangent any further. The mandatory 2FA nonsense is the real 
issue, let us please focus on that.

More information about the kde-core-devel mailing list