Enforce two-factor authentication

Two-factor authentication (2FA) is an authentication method that requires the user to provide two different factors to prove their identity:

  • Username and password.
  • A second authentication method, such as a code generated by an application.

2FA makes it harder for an unauthorized person to access an account because they would need both factors.

note
If you are using and enforcing SSO, you might already be enforcing 2FA on the identity provider (IDP) side. Enforcing 2FA on GitLab as well might be unnecessary.

Enforce 2FA for all users

Administrators can enforce 2FA for all users in two different ways:

  • Enforce on next sign in.
  • Suggest on next sign in, but allow a grace period before enforcing.

    After the configured grace period has elapsed, users can sign in but cannot leave the 2FA configuration area at /-/profile/two_factor_auth.

You can use the UI or the API to enforce 2FA for all users.

Use the UI

  1. On the left sidebar, select Search or go to.
  2. Select Admin Area.
  3. On the left sidebar, select Settings > General.
  4. Expand the Sign-in restrictions section:
    • Select Enforce two-factor authentication to enable this feature.
    • In Two-factor grace period, enter a number of hours. If you want to enforce 2FA on next sign-in attempt, enter 0.

Use the API

Use the application settings API to modify the following settings:

  • require_two_factor_authentication.
  • two_factor_grace_period.

For more information, see the list of settings that can be accessed through API calls.

Enforce 2FA for all users in a group

Introduced in GitLab 12.0, 2FA settings for a group are also applied to subgroups.

Prerequisites:

  • You must have the Maintainer or Owner role for the group.

To enforce 2FA only for certain groups:

  1. On the left sidebar, select Search or go to and find your group.
  2. Select Settings > General.
  3. Expand Permissions and group features.
  4. Select All users in this group must set up two-factor authentication.
  5. Optional. In Delay 2FA enforcement (hours), enter the number of hours you want the grace period to last for. If there are multiple different grace periods in a top level group and its subgroups and projects, the shortest grace period is used.
  6. Select Save changes.

Access tokens are not required to provide a second factor for authentication because they are API-based. Tokens generated before 2FA is enforced remain valid.

2FA in subgroups

You can enable and enforce 2FA for individual subgroups in the same way as a top level group.

You can prevent subgroups from setting up their own 2FA requirements:

  1. Go to the top level group’s Settings > General.
  2. Expand the Permissions and group features section.
  3. Clear the Allow subgroups to set up their own two-factor authentication rule checkbox.

This action causes all subgroups with 2FA requirements to stop requiring 2FA from their members.

2FA in projects

If a project belonging to a group that enables or enforces 2FA is shared with a group that does not enable or enforce 2FA, members of the non-2FA group can access that project without using 2FA. For example:

  • Group A has 2FA enabled and enforced. Group B does not have 2FA enabled.
  • If a project, P, that belongs to group A is shared with group B, members of group B can access project P without 2FA.

To ensure this does not occur, prevent sharing of projects for the 2FA group.

If you add members to a project in a group or subgroup that has 2FA enabled, 2FA is not required for those individually added members.

Disable 2FA

You can disable 2FA for a single user or all users.

This is a permanent and irreversible action. Users must reactivate 2FA to use it again.

caution
Disabling 2FA for users does not disable the enforce 2FA for all users or enforce 2FA for all users in a group settings. You must also disable any enforced 2FA settings so users aren’t asked to set up 2FA again when they next sign in to GitLab.

For a single user

Administrators

In GitLab 13.5 and later, use the Rails console to disable 2FA for a single administrator:

admin = User.find_by_username('<USERNAME>')
user_to_disable = User.find_by_username('<USERNAME>')

TwoFactor::DestroyService.new(admin, user: user_to_disable).execute

The administrator is notified that 2FA has been disabled.

Non-administrators

In GitLab 15.2 and later, you can use either the Rails console or the API endpoint to disable 2FA for a non-administrator.

You can disable 2FA for your own account.

You cannot use the API endpoint to disable 2FA for administrators.

For all users

To disable 2FA for all users even when forced 2FA is disabled, use the following Rake task.

  • For installations that use the Linux package:

    sudo gitlab-rake gitlab:two_factor:disable_for_all_users
    
  • For self-compiled installations:

    sudo -u git -H bundle exec rake gitlab:two_factor:disable_for_all_users RAILS_ENV=production
    

2FA for Git over SSH operations

Version history
  • Introduced in GitLab 13.7.
  • Moved from GitLab Free to GitLab Premium in 13.9.
  • It’s deployed behind a feature flag, disabled by default.
  • Push notification support introduced in GitLab 15.3.
On self-managed GitLab, by default this feature is not available. To make it available, an administrator can enable the feature flag named two_factor_for_cli. On GitLab.com, this feature is not available. The feature is not ready for production use. This feature flag also affects session duration for Git Operations when 2FA is enabled.

You can enforce 2FA for Git over SSH operations. However, you should use ED25519_SK or ECDSA_SK SSH keys instead. 2FA is enforced for Git operations only, and internal commands such as personal_access_token are excluded.

To perform one-time password (OTP) verification, run:

ssh git@<hostname> 2fa_verify

Then authenticate by either:

After successful authentication, you can perform Git over SSH operations for 15 minutes (default) with the associated SSH key.

Security limitation

2FA does not protect users with compromised private SSH keys.

Once an OTP is verified, anyone can run Git over SSH with that private SSH key for the configured session duration.