Strengthening GitLab.com security: Mandatory multi-factor authentication

To strengthen the security of all user accounts on GitLab.com, GitLab is implementing mandatory multi-factor authentication (MFA) for all users and API endpoints who sign in using a username and password.

Why this is happening

This move is a vital part of our Secure by Design commitment. MFA provides critical defense against credential stuffing and account takeover attacks, which remain persistent threats across the software development industry.

Key information to know

What is changing?

GitLab is making MFA mandatory for sign-ins that authenticate with a username and password. This introduces a critical second layer of security beyond just a password.

Does this apply to me?

1. Yes, it applies if: You sign in to GitLab.com with a username and a password, or use a password to authenticate to the API.
2. No, it does not apply if: You exclusively use social sign-on (such as Google) or single sign-on (SSO) for access. (Please note: If you use SSO, but also have a password for direct login, you will still need MFA for any non-SSO, password-based login.)

When is the rollout?

1. The implementation will be a phased approach over the coming months, intended to both minimize unexpected interruptions and productivity loss for users and prevent account lockouts. Groups of users will be asked to enable MFA over time. Each group will be selected based on the actions they’ve taken or the code they’ve contributed to. You will be notified in the following ways:
   • ✉️ Email notification - prior to the phase where you will be impacted
   • 🔔 Regular in-product reminders - 14 days before
   • ⏱️ After a specific time period (this will be shared via email) - blocked from accessing GitLab until you enable MFA

What action do I need to take?

1. If you sign in to GitLab.com with a username and a password:
   • We highly recommend you proactively set up one of the available MFA methods today, such as passkeys, an authenticator app, a WebAuthn device, or email verification. This ensures the most secure and seamless transition:
   • Go to your GitLab.com User Settings.
   • Select the Account section.
   • Activate two-factor authentication and configure your preferred method (e.g., authenticator app or a WebAuthn device).
   • Securely save your recovery codes to guarantee you can regain access if needed.
2. If you use a password to authenticate to the API:
   • We highly recommend you proactively switch to a personal access token (PAT). Read our documentation to learn more.

FAQ

What happens if I don't enable MFA by the deadline?

• You'll be required to set up MFA before you can sign in.

Does this affect CI/CD pipelines or automation?

• Yes, unless you're using PATs or deploy tokens instead of passwords.

I use SSO but sometimes sign in directly, do I need MFA?

• Yes, MFA is required for any password-based authentication, including fallback scenarios.

Specific timelines and further resources will be shared as rollout dates approach. Thank you for your attention to this important change.