Back in 2018, I wrote a blog post on Keeping your GitLab account safe (and accessible) in which I outlined some of the ways that our users could make sure that they were keeping their accounts secure and recoverable.
Fast-forward to 2020 and GitLab as a company has matured. Today our users are starting to face attack-vectors that were previously unheard of on GitLab.com. As a result, we don’t want our security practices to be only going through the motions of security. We’ve all seen examples of companies whose Multi-Factor Authentication (MFA) reset policies negate the security benefits of MFA on accounts.
Today we’re announcing a change that will put account security wholly in the hands of our users.
As of Aug. 15th, 2020, GitLab Support will no longer process MFA resets for free accounts.
This change means that if you’re using GitLab with MFA you will want to ensure that you have an appropriate set of backup methods to recover your account.
- (Re)generate recovery codes and store them in a secure location
- Use a hardware token whenever possible
- Add an SSH key to your account to allow the generation of backup codes
If you are caught where you are not able to provide your MFA token and without these backup methods, your account will be irrecoverable.
What if I accidentally lose my phone/recovery keys or get a new laptop and forget to back up my SSH key?
If you lose your primary authentication method and all backup methods, your account will be irrecoverable.
What if this is a work account?
For accounts occupying a paid seat, created with a company email address, MFA resets can still be requested. There will be a minimum three business-day processing time and you'll be required to pass a number of security challenges to verify account ownership.
I don’t like this and I want to tell someone.
We’re accepting community feedback in this forum post, and invite contributors to share there.
Can I add my phone number as a recovery method?
We’re discussing this in the forum post, but phone numbers as a recovery method are problematic in many countries.
Can I add X as a recovery method?
GitLab is developed in collaboration with the wider community. We’re accepting merge requests and feature proposals in gitlab.com/gitlab-org/gitlab and look forward to building together.
Learn more about security best practices for your GitLab instance.
“.@gitlab Support is no longer processing MFA resets for free users” – Lyle Kozloff
Click to tweet