Account email verification

Tier: Free, Premium, Ultimate Offering: Self-managed
History
On self-managed GitLab, by default this feature is not available. To make it available, an administrator can enable the feature flag named require_email_verification. On GitLab.com and GitLab Dedicated, this feature is not available.

Account email verification provides an additional layer of GitLab account security. When certain conditions are met, an account is locked. If your account is locked, you must verify your identity or reset your password to sign in to GitLab.

For a demo, see Require email verification - demo.

On GitLab.com, if you don’t receive a verification email, select Resend Code before you contact the support team.

Accounts without two-factor authentication (2FA)

An account is locked when either:

  • There are three or more failed sign-in attempts in 24 hours.
  • A user attempts to sign in from a new IP address and the check_ip_address_for_email_verification feature flag is enabled.

A locked account without 2FA is not unlocked automatically.

After a successful sign in, an email with a six-digit verification code is sent. The verification code expires after 60 minutes.

To unlock your account, sign in and enter the verification code. You can also reset your password.

Accounts with 2FA or OAuth

An account is locked when there are ten or more failed sign-in attempts, or more than the amount defined in the configurable locked user policy.

Accounts with 2FA or OAuth are automatically unlocked after ten minutes, or more than the amount defined in the configurable locked user policy. To unlock an account manually, reset your password.