Gitlab update, 2FA now mandatory

argonel argonel at
Mon Oct 24 04:03:39 BST 2022

On Sun, Oct 23, 2022 at 7:37 PM Kevin Kofler <kevin.kofler at> wrote:

> * what the point of two-factor is at all considering that you have no way to
> prevent the developer from storing the password and the OTP generator on the
> same device.

The point is to add an authentication factor that isn't of any value
if it is accidentally shared, phished, or intercepted. The window of
opportunity for the reuse of a TOTP code is typically only 30 seconds,
and it's rather time intensive to derive the secret key from previous
codes for the account. You only need to see the secret key during
initial setup, so future logins aren't vulnerable to shoulder surfing.
Reuse of the secret key is unlikely, because services typically only
use the ones they generate.

Having more than one device able to authenticate is mostly a matter of
convenience, especially in the event of a hardware failure. Someone
having access to your single device sufficient to capture the password
and the secret key for the account is - hopefully - unlikely.

More information about the kde-core-devel mailing list