debian-mirror-gitlab/doc/security/two_factor_authentication.md

# Enforce Two-factor Authentication (2FA)

Two-factor Authentication (2FA) provides an additional level of security to your
users' GitLab account. Once enabled, in addition to supplying their username and
password to login, they'll be prompted for a code generated by an application on
their phone.

You can read more about it here:
[Two-factor Authentication (2FA)](../profile/two_factor_authentication.md)

## Enabling 2FA

Users on GitLab, can enable it without any admin's intervention. If you want to
enforce everyone to setup 2FA, you can choose from two different ways:

 1. Enforce on next login
 2. Suggest on next login, but allow a grace period before enforcing.

In the Admin area under **Settings** (`/admin/application_settings`), look for
the "Sign-in Restrictions" area, where you can configure both.

If you want 2FA enforcement to take effect on next login, change the grace
period to `0`.

---

![Two factor authentication admin settings](img/two_factor_authentication_settings.png)

---

## Disabling 2FA for everyone

There may be some special situations where you want to disable 2FA for everyone
even when forced 2FA is disabled. There is a rake task for that:

```
# Omnibus installations
sudo gitlab-rake gitlab:two_factor:disable_for_all_users

# Installations from source
sudo -u git -H bundle exec rake gitlab:two_factor:disable_for_all_users RAILS_ENV=production
```

**IMPORTANT: this is a permanent and irreversible action. Users will have to
    reactivate 2FA from scratch if they want to use it again.**
Imported Upstream version 8.4.0+dfsg~rc1 2016-01-14 18:37:52 +05:30			`# Enforce Two-factor Authentication (2FA)`

			`Two-factor Authentication (2FA) provides an additional level of security to your`
			`users' GitLab account. Once enabled, in addition to supplying their username and`
			`password to login, they'll be prompted for a code generated by an application on`
			`their phone.`

			`You can read more about it here:`
Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30			`[Two-factor Authentication (2FA)](../profile/two_factor_authentication.md)`
Imported Upstream version 8.4.0+dfsg~rc1 2016-01-14 18:37:52 +05:30
			`## Enabling 2FA`

			`Users on GitLab, can enable it without any admin's intervention. If you want to`
			`enforce everyone to setup 2FA, you can choose from two different ways:`

			`1. Enforce on next login`
			`2. Suggest on next login, but allow a grace period before enforcing.`

			In the Admin area under Settings (`/admin/application_settings`), look for
			`the "Sign-in Restrictions" area, where you can configure both.`

			`If you want 2FA enforcement to take effect on next login, change the grace`
Imported Upstream version 8.5.8+dfsg 2016-04-02 18:10:28 +05:30			period to `0`.

			`---`

			`![Two factor authentication admin settings](img/two_factor_authentication_settings.png)`

			`---`
Imported Upstream version 8.4.0+dfsg~rc1 2016-01-14 18:37:52 +05:30
			`## Disabling 2FA for everyone`

			`There may be some special situations where you want to disable 2FA for everyone`
			`even when forced 2FA is disabled. There is a rake task for that:`

			```
Imported Upstream version 8.5.8+dfsg 2016-04-02 18:10:28 +05:30			`# Omnibus installations`
Imported Upstream version 8.4.0+dfsg~rc1 2016-01-14 18:37:52 +05:30			`sudo gitlab-rake gitlab:two_factor:disable_for_all_users`

Imported Upstream version 8.5.8+dfsg 2016-04-02 18:10:28 +05:30			`# Installations from source`
Imported Upstream version 8.4.0+dfsg~rc1 2016-01-14 18:37:52 +05:30			`sudo -u git -H bundle exec rake gitlab:two_factor:disable_for_all_users RAILS_ENV=production`
			```

Imported Upstream version 8.5.8+dfsg 2016-04-02 18:10:28 +05:30			`**IMPORTANT: this is a permanent and irreversible action. Users will have to`
			`reactivate 2FA from scratch if they want to use it again.**`