Enforce Two-factor Authentication (2FA)

Two-factor Authentication (2FA) provides an additional level of security to your users’ GitLab account. After being enabled, in addition to supplying their username and password to sign in, they’ll be prompted for a code generated by an application on their phone.

You can read more about it here: Two-factor Authentication (2FA)

Enforcing 2FA for all users

Users on GitLab can enable it without any administrator’s intervention. If you want to enforce everyone to set up 2FA, you can choose from two different ways:

  • Enforce on next login.
  • Suggest on next login, but allow a grace period before enforcing.

After the configured grace period has elapsed, users will be able to sign in but won’t be able to leave the 2FA configuration area at /profile/two_factor_auth.

To enable 2FA for all users:

  1. Navigate to Admin Area > Settings > General (/admin/application_settings/general).
  2. Expand the Sign-in restrictions section, where you can configure both.

If you want 2FA enforcement to take effect during the next sign-in attempt, change the grace period to 0.

Enforcing 2FA for all users in a group

If you want to enforce 2FA only for certain groups, you can:

  1. Enable it in the group’s Settings > General page. Navigate to Permissions, LFS, 2FA > Two-factor authentication. You can then select the Require all users in this group to setup Two-factor authentication option.
  2. You can also specify a grace period in the Time before enforced option.

To change this setting, you need to be administrator or owner of the group.

From GitLab 12.0, 2FA settings for a group are also applied to subgroups.

If you want to enforce 2FA only for certain groups, you can enable it in the group settings and specify a grace period as above. To change this setting you need to be administrator or owner of the group.

The following are important notes about 2FA:

  • Projects belonging to a 2FA-enabled group that is shared with a 2FA-disabled group will not require members of the 2FA-disabled group to use 2FA for the project. For example, if project P belongs to 2FA-enabled group A and is shared with 2FA-disabled group B, members of group B can access project P without 2FA. To ensure this scenario doesn’t occur, prevent sharing of projects for the 2FA-enabled group.
  • If you add additional members to a project within a group or subgroup that has 2FA enabled, 2FA is not required for those individually added members.
  • If there are multiple 2FA requirements (for example, group + all users, or multiple groups) the shortest grace period will be used.
  • It is possible to disallow subgroups from setting up their own 2FA requirements. Navigate to the top-level group’s Settings > General > Permissions, LFS, 2FA > Two-factor authentication and uncheck the Allow subgroups to set up their own two-factor authentication rule field. This action will cause all subgroups with 2FA requirements to stop requiring that from their members.

Disabling 2FA for everyone

cautionDisabling 2FA for everyone does not disable the enforce 2FA for all users or enforce 2FA for all users in a group settings. In addition to the steps in this section, you will need to disable any enforced 2FA settings so users aren’t asked to set up 2FA again, the next time the user signs in to GitLab. Disabling 2FA for everyone does not disable the enforce 2FA for all users or enforce 2FA for all users in a group settings if they have been configured. In addition to the steps in this section, you will need to disable any enforced 2FA settings so users aren’t asked to setup 2FA again when the next login to GitLab.

There may be some special situations where you want to disable 2FA for everyone even when forced 2FA is disabled. There is a Rake task for that:

# Omnibus installations
sudo gitlab-rake gitlab:two_factor:disable_for_all_users

# Installations from source
sudo -u git -H bundle exec rake gitlab:two_factor:disable_for_all_users RAILS_ENV=production
cautionThis is a permanent and irreversible action. Users will have to reactivate 2FA from scratch if they want to use it again.

Two-factor Authentication (2FA) for Git over SSH operations

Version history
  • Introduced in GitLab 13.7.
  • Moved from GitLab Free to GitLab Premium in 13.9.
  • It’s deployed behind a feature flag, disabled by default.
  • It’s disabled on GitLab.com.
  • It’s not recommended for production use.
  • To use it in GitLab self-managed instances, ask a GitLab administrator to enable it.
cautionThis feature might not be available to you. Check the version history note above for details.

Two-factor authentication can be enforced for Git over SSH operations. The OTP verification can be done via a GitLab Shell command:

ssh git@<hostname> 2fa_verify

Once the OTP is verified, Git over SSH operations can be used for a session duration of 15 minutes (default) with the associated SSH key.

Security limitation

2FA does not protect users with compromised private SSH keys.

Once an OTP is verified, anyone can run Git over SSH with that private SSH key for the configured session duration.

Enable or disable Two-factor Authentication (2FA) for Git operations

Two-factor Authentication (2FA) for Git operations is under development and not ready for production use. It is deployed behind a feature flag that is disabled by default. GitLab administrators with access to the GitLab Rails console can enable it.

To enable it:

Feature.enable(:two_factor_for_cli)

To disable it:

Feature.disable(:two_factor_for_cli)

The feature flag affects these features: