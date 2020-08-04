Published on: August 4, 2020
2 min read
From August 15th, GitLab Support will no longer be manually removing MFA from free accounts.
Back in 2018, I wrote a blog post on Keeping your GitLab account safe (and accessible) in which I outlined some of the ways that our users could make sure that they were keeping their accounts secure and recoverable.
Fast-forward to 2020 and GitLab as a company has matured. Today our users are starting to face attack-vectors that were previously unheard of on GitLab.com. As a result, we don’t want our security practices to be only going through the motions of security. We’ve all seen examples of companies whose Multi-Factor Authentication (MFA) reset policies negate the security benefits of MFA on accounts.
Today we’re announcing a change that will put account security wholly in the hands of our users.
As of Aug. 15th, 2020, GitLab Support will no longer process MFA resets for free accounts.
This change means that if you’re using GitLab with MFA you will want to ensure that you have an appropriate set of backup methods to recover your account.
Namely:
If you are caught where you are not able to provide your MFA token and without these backup methods, your account will be irrecoverable.
If you lose your primary authentication method and all backup methods, your account will be irrecoverable.
For accounts occupying a paid seat, created with a company email address, MFA resets can still be requested. There will be a minimum three business-day processing time and you'll be required to pass a number of security challenges to verify account ownership.
We’re accepting community feedback in this forum post, and invite contributors to share there.
We’re discussing this in the forum post, but phone numbers as a recovery method are problematic in many countries.
GitLab is developed in collaboration with the wider community. We’re accepting merge requests and feature proposals in gitlab.com/gitlab-org/gitlab and look forward to building together.
Learn more about security best practices for your GitLab instance.
50%+ of the Fortune 100 trust GitLab
See what your team can do with the intelligent
DevSecOps platform.