21 KiB
stage | group | info |
---|---|---|
Manage | Access | To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments |
Two-factor authentication (FREE)
Two-factor authentication (2FA) provides an additional level of security to your GitLab account. After being enabled, in addition to supplying your username and password to sign in, you are prompted for a code generated by your one-time password authenticator (for example, a password manager on one of your devices).
By enabling 2FA, the only way someone other than you can sign in to your account is to know your username and password and have access to your one-time password secret.
Overview
NOTE: When you enable 2FA, don't forget to back up your recovery codes!
In addition to time-based one time passwords (TOTP), GitLab supports WebAuthn devices as the second factor of authentication. After being enabled, in addition to supplying your username and password to sign in, you're prompted to activate your U2F / WebAuthn device (usually by pressing a button on it) which performs secure authentication on your behalf.
It's highly recommended that you set up 2FA with both a one-time password authenticator or use FortiAuthenticator and a U2F device or a WebAuthn device, so you can still access your account if you lose your U2F / WebAuthn device.
Enabling 2FA
- Account email confirmation requirement introduced in GitLab 14.3. Deployed behind the
ensure_verified_primary_email_for_2fa
flag, enabled by default.- Account email confirmation requirement generally available and feature flag
ensure_verified_primary_email_for_2fa
removed in GitLab 14.4.
There are multiple ways to enable two-factor authentication (2FA):
- Using a one-time password authenticator.
- Using a U2F / WebAuthn device.
In GitLab 14.3 and later, your account email must be confirmed to enable two-factor authentication.
One-time password
To enable 2FA:
- In GitLab:
- Sign in to your GitLab account.
- Go to your User settings.
- Go to Account.
- Select Enable Two-factor Authentication.
- On your device (usually your phone):
- Install a compatible application, like:
- In the application, add a new entry in one of two ways:
- Scan the code presented in GitLab with your device's camera to add the entry automatically.
- Enter the details provided to add the entry manually.
- In GitLab:
- Enter the six-digit pin number from the entry on your device into the Pin code field.
- Enter your current password.
- Select Submit.
If the pin you entered was correct, a message displays indicating that two-factor authentication has been enabled, and you're shown a list of recovery codes. Be sure to download them and keep them in a safe place.
One-time password via FortiAuthenticator
- Introduced in GitLab 13.5.
- It's deployed behind a feature flag, disabled by default.
- To use it in GitLab self-managed instances, ask a GitLab administrator to enable it.
You can use FortiAuthenticator as a one-time password (OTP) provider in GitLab. Users must exist in both FortiAuthenticator and GitLab with the exact same username, and users must have FortiToken configured in FortiAuthenticator.
You need a username and access token for FortiAuthenticator. The
access_token
in the code samples shown below is the FortAuthenticator access
key. To get the token, see the REST API Solution Guide
at
Fortinet Document Library
.
GitLab 13.5 has been tested with FortAuthenticator version 6.2.0.
First configure FortiAuthenticator in GitLab. On your GitLab server:
-
Open the configuration file.
For Omnibus GitLab:
sudo editor /etc/gitlab/gitlab.rb
For installations from source:
cd /home/git/gitlab sudo -u git -H editor config/gitlab.yml
-
Add the provider configuration:
For Omnibus package:
gitlab_rails['forti_authenticator_enabled'] = true gitlab_rails['forti_authenticator_host'] = 'forti_authenticator.example.com' gitlab_rails['forti_authenticator_port'] = 443 gitlab_rails['forti_authenticator_username'] = '<some_username>' gitlab_rails['forti_authenticator_access_token'] = 's3cr3t'
For installations from source:
forti_authenticator: enabled: true host: forti_authenticator.example.com port: 443 username: <some_username> access_token: s3cr3t
-
Save the configuration file.
-
Reconfigure or restart GitLab for the changes to take effect if you installed GitLab via Omnibus or from source respectively.
Enable FortiAuthenticator integration
This feature comes with the :forti_authenticator
feature flag disabled by
default.
To enable this feature, ask a GitLab administrator with Rails console access to run the following command:
Feature.enable(:forti_authenticator, User.find(<user ID>))
One-time password via FortiToken Cloud
- Introduced in GitLab 13.7.
- It's deployed behind a feature flag, disabled by default.
- It's disabled on GitLab.com.
- It's not recommended for production use.
- To use it in GitLab self-managed instances, ask a GitLab administrator to enable it.
WARNING: This feature might not be available to you. Check the version history note above for details.
You can use FortiToken Cloud as a one-time password (OTP) provider in GitLab. Users must exist in both FortiToken Cloud and GitLab with the exact same username, and users must have FortiToken configured in FortiToken Cloud.
You'll also need a client_id
and client_secret
to configure FortiToken Cloud.
To get these, see the REST API Guide
at
Fortinet Document Library
.
First configure FortiToken Cloud in GitLab. On your GitLab server:
-
Open the configuration file.
For Omnibus GitLab:
sudo editor /etc/gitlab/gitlab.rb
For installations from source:
cd /home/git/gitlab sudo -u git -H editor config/gitlab.yml
-
Add the provider configuration:
For Omnibus package:
gitlab_rails['forti_token_cloud_enabled'] = true gitlab_rails['forti_token_cloud_client_id'] = '<your_fortinet_cloud_client_id>' gitlab_rails['forti_token_cloud_client_secret'] = '<your_fortinet_cloud_client_secret>'
For installations from source:
forti_token_cloud: enabled: true client_id: YOUR_FORTI_TOKEN_CLOUD_CLIENT_ID client_secret: YOUR_FORTI_TOKEN_CLOUD_CLIENT_SECRET
-
Save the configuration file.
-
Reconfigure or restart GitLab for the changes to take effect if you installed GitLab via Omnibus or from source respectively.
Enable or disable FortiToken Cloud integration
FortiToken Cloud integration is under development and not ready for production use. It is deployed behind a feature flag that is disabled by default. GitLab administrators with access to the GitLab Rails console can enable it.
To enable it:
Feature.enable(:forti_token_cloud, User.find(<user ID>))
To disable it:
Feature.disable(:forti_token_cloud, User.find(<user ID>))
U2F device
GitLab officially only supports YubiKey U2F devices, but users have successfully used SoloKeys or Google Titan Security Key.
NOTE: 2FA must be configured before U2F.
The U2F workflow is supported by the following desktop browsers:
- Chrome
- Edge
- Firefox 67+
- Opera
NOTE:
For Firefox 47-66, you can enable the FIDO U2F API in
about:config
.
Search for security.webauth.u2f
and double click on it to toggle to true
.
To set up 2FA with a U2F device:
- Sign in to your GitLab account.
- Go to your User settings.
- Go to Account.
- Click Enable Two-Factor Authentication.
- Connect your U2F device.
- Click on Set up New U2F Device.
- A light begins blinking on your device. Activate it by pressing its button.
A message displays, indicating that your device was successfully set up. Click on Register U2F Device to complete the process.
WebAuthn device
- Introduced in GitLab 13.4 with a flag named
webauthn
. Disabled by default.- Enabled on GitLab.com and self-managed in GitLab 14.6.
FLAG:
On self-managed GitLab, by default this feature is available. To disable the feature, ask an administrator to disable the feature flag named webauthn
. If you disable the WebAuthn feature flag after WebAuthn devices have been registered, these devices are not usable until you re-enable this feature. On GitLab.com, this feature is available.
The WebAuthn workflow is supported by the following desktop browsers:
- Chrome
- Edge
- Firefox
- Opera
- Safari
and the following mobile browsers:
- Chrome for Android
- Firefox for Android
- iOS Safari (since iOS 13.3)
To set up 2FA with a WebAuthn compatible device:
- Sign in to your GitLab account.
- Go to your User settings.
- Go to Account.
- Select Enable Two-Factor Authentication.
- Plug in your WebAuthn device.
- Select Set up New WebAuthn Device.
- Depending on your device, you might need to press a button or touch a sensor.
A message displays, indicating that your device was successfully set up. Recovery codes are not generated for WebAuthn devices.
Recovery codes
NOTE: Recovery codes are not generated for U2F / WebAuthn devices.
WARNING: Each code can be used only once to sign in to your account.
Immediately after successfully enabling two-factor authentication, you're
prompted to download a set of generated recovery codes. Should you ever lose access
to your one-time password authenticator, you can use one of these recovery codes to sign in to
your account. We suggest copying and printing them, or downloading them using
the Download codes button for storage in a safe place. If you choose to
download them, the file is called gitlab-recovery-codes.txt
.
The UI now includes Copy codes and Print codes buttons, for your convenience. Introduced in GitLab 13.7.
If you lose the recovery codes or just want to generate new ones, you can do so from the two-factor authentication account settings page or using SSH.
Signing in with 2FA Enabled
Signing in with 2FA enabled is only slightly different than the normal sign-in process. Enter your username and password credentials as you normally would, and you're presented with a second prompt, depending on which type of 2FA you've enabled.
Sign in by using a one-time password
When asked, enter the pin from your one time password authenticator's application or a recovery code to sign in.
Sign in by using a U2F device
To sign in by using a U2F device:
- Click Login via U2F Device.
- A light begins blinking on your device. Activate it by touching/pressing its button.
A message displays, indicating that your device responded to the authentication request, and you're automatically signed in.
Sign in by using a WebAuthn device
In supported browsers you should be automatically prompted to activate your WebAuthn device (for example, by touching or pressing its button) after entering your credentials.
A message displays, indicating that your device responded to the authentication request and you're automatically signed in.
Disabling 2FA
If you ever need to disable 2FA:
- Sign in to your GitLab account.
- Go to your User settings.
- Go to Account.
- Select Manage two-factor authentication.
- Under Two-Factor Authentication, enter your current password and select Disable.
This clears all your two-factor authentication registrations, including mobile applications and U2F / WebAuthn devices.
Support for disabling 2FA is limited, depending on your subscription level. For more information, see the Account Recovery section of our website.
Personal access tokens
When 2FA is enabled, you can no longer use your normal account password to authenticate with Git over HTTPS on the command line or when using the GitLab API. You must use a personal access token instead.
Recovery options
To disable two-factor authentication on your account (for example, if you have lost your code generation device) you can:
- Use a saved recovery code.
- Generate new recovery codes using SSH.
- Regenerate 2FA recovery codes.
- Have 2FA disabled on your account.
Use a saved recovery code
Enabling two-factor authentication for your account generated several recovery codes. If you saved these codes, you can use one of them to sign in.
To use a recovery code, enter your username/email and password on the GitLab sign-in page. When prompted for a two-factor code, enter the recovery code.
After you use a recovery code, you cannot re-use it. You can still use the other recovery codes you saved.
Generate new recovery codes using SSH
Users often forget to save their recovery codes when enabling two-factor authentication. If an SSH key is added to your GitLab account, you can generate a new set of recovery codes with SSH:
-
Run:
ssh git@gitlab.com 2fa_recovery_codes
NOTE: On self-managed instances, replace
gitlab.com
in the command above with the GitLab server hostname (gitlab.example.com
). -
You are prompted to confirm that you want to generate new codes. Continuing this process invalidates previously saved codes:
Are you sure you want to generate new two-factor recovery codes? Any existing recovery codes you saved will be invalidated. (yes/no) yes Your two-factor authentication recovery codes are: 119135e5a3ebce8e 11f6v2a498810dcd 3924c7ab2089c902 e79a3398bfe4f224 34bd7b74adbc8861 f061691d5107df1a 169bf32a18e63e7f b510e7422e81c947 20dbed24c5e74663 df9d3b9403b9c9f0 During sign in, use one of the codes above when prompted for your two-factor code. Then, visit your Profile Settings and add a new device so you do not lose access to your account again.
-
Go to the GitLab sign-in page and enter your username/email and password. When prompted for a two-factor code, enter one of the recovery codes obtained from the command-line output.
After signing in, visit your User settings > Account immediately to set up two-factor authentication with a new device.
Regenerate 2FA recovery codes
To regenerate 2FA recovery codes, you need access to a desktop browser:
- Navigate to GitLab.
- Sign in to your GitLab account.
- Go to your User settings.
- Select Account > Two-Factor Authentication (2FA).
- If you've already configured 2FA, click Manage two-factor authentication.
- In the Register Two-Factor Authenticator pane, enter your current password and select Regenerate recovery codes.
NOTE: If you regenerate 2FA recovery codes, save them. You can't use any previously created 2FA codes.
Have 2FA disabled on your account
If you can't use a saved recovery code or generate new recovery codes, submit a support ticket to request a GitLab global administrator disable two-factor authentication for your account. Note that:
- Only the owner of the account can make this request.
- This service is only available for accounts that have a GitLab.com subscription. For more information, see our blog post.
- Disabling this setting temporarily leaves your account in a less secure state. You should sign in and re-enable two-factor authentication as soon as possible.
Note to GitLab administrators
-
You need to take special care to that 2FA keeps working after restoring a GitLab backup.
-
To ensure 2FA authorizes correctly with time-based one time passwords (TOTP) server, you may want to ensure your GitLab server's time is synchronized via a service like NTP. Otherwise, you may have cases where authorization always fails because of time differences.
-
The GitLab U2F implementation does not work when the GitLab instance is accessed from multiple hostnames, or FQDNs. Each U2F registration is linked to the current hostname at the time of registration, and cannot be used for other hostnames/FQDNs. The same applies to WebAuthn registrations.
For example, if a user is trying to access a GitLab instance from
first.host.xyz
andsecond.host.xyz
:- The user signs in by using
first.host.xyz
and registers their U2F key. - The user signs out and attempts to sign in by using
first.host.xyz
- U2F authentication succeeds. - The user signs out and attempts to sign in by using
second.host.xyz
- U2F authentication fails, because the U2F key has only been registered onfirst.host.xyz
.
- The user signs in by using
-
To enforce 2FA at the system or group levels see Enforce Two-factor Authentication.
Troubleshooting
If you are receiving an invalid pin code
error, this may indicate that there is a time sync issue between the authentication application and the GitLab instance itself.
To avoid the time sync issue, enable time synchronization in the device that generates the codes. For example:
- For Android (Google Authenticator):
- Go to the Main Menu in Google Authenticator.
- Select Settings.
- Select the Time correction for the codes.
- Select Sync now.
- For iOS:
- Go to Settings.
- Select General.
- Select Date & Time.
- Enable Set Automatically. If it's already enabled, disable it, wait a few seconds, and re-enable.