Gitlab update, 2FA now mandatory

Kevin Kofler kevin.kofler at chello.at
Tue Oct 25 03:24:12 BST 2022 

Ingo Klöcker wrote:
> You are the only person in this thread (on kde-core-devel) who has voiced
> their disagreement with using 2FA and who demand its immediate
> deactivation. Why do you think a single person (you) who isn't tasked with
> keeping our infrastructure and the data stored thereon secure should be
> able to decide this?

To be honest, I am genuinely surprised that there are not more complaints 
about that. I would have expected lots more. (On kde-community, there are a 
few posts by Christoph Cullmann worrying about the impact on new 
contributors, but even he does not seem to be opposed to 2FA for KDE 
developers. Other than that, I do not see any kind of criticism either.)

Unfortunately, it seems that people have learned to put up with pretty much 
any annoyance in the name of "security". (I blame airport "security".)

> I for one applaud the requirement to use 2FA on invent. I would love to
> see this on more websites.

That just confirms that this is NOT actually an "industry standard best 
practice" as Ben Cooksley is claiming, but a completely non-standard PITA 
that only a handful websites dare imposing on their users. (Invent is the 
ONLY website that I use that requires this. Note that I do not use online 
banking, and the ever-increasing security theater banks are imposing is the 
main reason why. There is a reason mandatory 2FA has not caught on outside 
of the banking sector.)

A lot of websites allow users to opt into 2FA (letting the security nerds 
have their toy to play around with without bothering the rest of the world), 
but forcing it down our throat is a wholely different matter.

> And, for what it's worth, since invent keeps personal information and
> since the GDPR requires using state-of-the-art technology to protect
> personal information, using 2FA is, in my opinion (but I'm not a lawyer),
> a must for any website that stores personal information.

See above, almost nobody else does this, so that interpretation of the GDPR 
is pure nonsense.

        Kevin Kofler

More information about the kde-core-devel mailing list