2FA removal and other account actions can only be taken if the workflow below is successful.
In many cases, users can regain access to their account using the following methods:
Users can try and login using their saved two-factor recovery codes.
If a user didn't save their recovery codes, new ones can be generated with the command below via SSH if they've previously added an SSH key to their account. The new recovery codes can then be used at sign in. This option is presented to users in the Zendesk macro and the auto-response they'll receive if they chose
Two-Factor Authentication (Account Recovery) as the problem type for the Zendesk ticket. If they cannot use this method then move on to the manual methods below.
ssh firstname.lastname@example.org 2fa_recovery_codes
If a user has added an SSH key to their account but receives a
Permission denied (publickey) error when using the command above, they may need to manually register their private SSH key using
ssh-agent if they're using a non-default SSH key pair file path. Direct the user to our documentation for guidance on how to solve this.
If the user is unable to remove 2FA or otherwise regain access to their account using the above methods and responds with the need for further verification, then the user will need to provide evidence of account ownership before we can disable 2FA on their account.
If a user has lost their account recovery codes and has no SSH key registered, proving they own the account can be difficult. In these cases, please use the workflow below.
As part of access recovery, if 2FA removal is not involved, then skip the following steps and move on to the next section.
Use the macro "Account::2FA::2FA Internal Note" It leaves an internal note on the ticket. Edit with the relevant admin link, your proposed data classification level, challenges and the risk factor.
Request that your decision be peer-reviewed by another member of the team via Slack.
Edit, add an Admin Note, and save.
Note: This only applies if you think the challenges were passed, in case the user sends back very minimal information and it's clear it's not sufficient, reply asking for more information immediately after their response.
If the user is a GitLab employee, follow the below process: