debian-mirror-gitlab/doc/security/two_factor_authentication.md

# Enforce Two-factor Authentication (2FA)

Two-factor Authentication (2FA) provides an additional level of security to your
users' GitLab account. Once enabled, in addition to supplying their username and
password to login, they'll be prompted for a code generated by an application on
their phone.

You can read more about it here:
[Two-factor Authentication (2FA)](../profile/two_factor_authentication.md)

## Enforcing 2FA for all users

Users on GitLab, can enable it without any admin's intervention. If you want to
enforce everyone to set up 2FA, you can choose from two different ways:

 1. Enforce on next login
 2. Suggest on next login, but allow a grace period before enforcing.

In the Admin area under **Settings** (`/admin/application_settings`), look for
the "Sign-in Restrictions" area, where you can configure both.

If you want 2FA enforcement to take effect on next login, change the grace
period to `0`.

---

![Two factor authentication admin settings](img/two_factor_authentication_settings.png)

---

## Enforcing 2FA for all users in a group

If you want to enforce 2FA only for certain groups, you can enable it in the
group settings and specify a grace period as above. To change this setting you
need to be administrator or owner of the group.

If there are multiple 2FA requirements (i.e. group + all users, or multiple
groups) the shortest grace period will be used.

---

![Two factor authentication group settings](img/two_factor_authentication_group_settings.png)

---

## Disabling 2FA for everyone

There may be some special situations where you want to disable 2FA for everyone
even when forced 2FA is disabled. There is a rake task for that:

```
# Omnibus installations
sudo gitlab-rake gitlab:two_factor:disable_for_all_users

# Installations from source
sudo -u git -H bundle exec rake gitlab:two_factor:disable_for_all_users RAILS_ENV=production
```

**IMPORTANT: this is a permanent and irreversible action. Users will have to
    reactivate 2FA from scratch if they want to use it again.**
Imported Upstream version 8.4.0+dfsg~rc1 2016-01-14 18:37:52 +05:30			`# Enforce Two-factor Authentication (2FA)`

			`Two-factor Authentication (2FA) provides an additional level of security to your`
			`users' GitLab account. Once enabled, in addition to supplying their username and`
			`password to login, they'll be prompted for a code generated by an application on`
			`their phone.`

			`You can read more about it here:`
New upstream version 11.5.6+dfsg 2019-01-03 12:48:30 +05:30			`[Two-factor Authentication (2FA)](../profile/two_factor_authentication.md)`
Imported Upstream version 8.4.0+dfsg~rc1 2016-01-14 18:37:52 +05:30
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`## Enforcing 2FA for all users`
Imported Upstream version 8.4.0+dfsg~rc1 2016-01-14 18:37:52 +05:30
			`Users on GitLab, can enable it without any admin's intervention. If you want to`
New upstream version 11.4.9+dfsg 2018-12-05 23:21:45 +05:30			`enforce everyone to set up 2FA, you can choose from two different ways:`
Imported Upstream version 8.4.0+dfsg~rc1 2016-01-14 18:37:52 +05:30
New upstream version 11.5.6+dfsg 2019-01-03 12:48:30 +05:30			`1. Enforce on next login`
			`2. Suggest on next login, but allow a grace period before enforcing.`
Imported Upstream version 8.4.0+dfsg~rc1 2016-01-14 18:37:52 +05:30
			In the Admin area under Settings (`/admin/application_settings`), look for
			`the "Sign-in Restrictions" area, where you can configure both.`

			`If you want 2FA enforcement to take effect on next login, change the grace`
Imported Upstream version 8.5.8+dfsg 2016-04-02 18:10:28 +05:30			period to `0`.

			`---`

			`![Two factor authentication admin settings](img/two_factor_authentication_settings.png)`

			`---`
Imported Upstream version 8.4.0+dfsg~rc1 2016-01-14 18:37:52 +05:30
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`## Enforcing 2FA for all users in a group`

			`If you want to enforce 2FA only for certain groups, you can enable it in the`
			`group settings and specify a grace period as above. To change this setting you`
			`need to be administrator or owner of the group.`

			`If there are multiple 2FA requirements (i.e. group + all users, or multiple`
			`groups) the shortest grace period will be used.`

			`---`

			`![Two factor authentication group settings](img/two_factor_authentication_group_settings.png)`

			`---`

Imported Upstream version 8.4.0+dfsg~rc1 2016-01-14 18:37:52 +05:30			`## Disabling 2FA for everyone`

			`There may be some special situations where you want to disable 2FA for everyone`
			`even when forced 2FA is disabled. There is a rake task for that:`

			```
Imported Upstream version 8.5.8+dfsg 2016-04-02 18:10:28 +05:30			`# Omnibus installations`
Imported Upstream version 8.4.0+dfsg~rc1 2016-01-14 18:37:52 +05:30			`sudo gitlab-rake gitlab:two_factor:disable_for_all_users`

Imported Upstream version 8.5.8+dfsg 2016-04-02 18:10:28 +05:30			`# Installations from source`
Imported Upstream version 8.4.0+dfsg~rc1 2016-01-14 18:37:52 +05:30			`sudo -u git -H bundle exec rake gitlab:two_factor:disable_for_all_users RAILS_ENV=production`
			```

Imported Upstream version 8.5.8+dfsg 2016-04-02 18:10:28 +05:30			`**IMPORTANT: this is a permanent and irreversible action. Users will have to`
			`reactivate 2FA from scratch if they want to use it again.**`