Two-factor authentication (2FA) provides an additional level of security to your GitLab account. For others to access your account, they would need your username and password and access to your second factor of authentication. Show
GitLab supports as a second factor of authentication:
If you set up a device, also set up a TOTP so you can still access your account if you lose the device. Use personal access tokens with two-factor authenticationWhen 2FA is enabled, you can’t use your password to authenticate with Git over HTTPS or the GitLab API. You can use a personal access token instead. Git Credential ManagerFor Git over HTTPS, Git Credential Manager (GCM) offers an alternative to personal access tokens. By default, GCM authenticates using OAuth, opening GitLab in your web browser. The first time you authenticate, GitLab asks you to authorize the app. If you remain signed in to GitLab, subsequent authentication requires no interaction. So you don’t need to reauthenticate on every push, GCM supports caching as well as a variety of platform-specific credential stores that persist between sessions. This feature is useful whether you use personal access tokens or OAuth. GCM supports GitLab.com out the box. To use with self-managed GitLab, see GitLab support documentation. Git Credential Manager is developed primarily by GitHub, Inc. It is an open-source project and is supported by the community. Enable two-factor authenticationVersion history
You can enable 2FA:
In GitLab 14.3 and later, your account email must be confirmed to enable 2FA. Enable one-time passwordTo enable 2FA with a one-time password:
If you entered the correct pin, GitLab displays a list of recovery codes. Download them and keep them in a safe place. Enable one-time password using FortiAuthenticatorIntroduced in GitLab 13.5 with a flag named You can use FortiAuthenticator as a one-time password (OTP) provider in GitLab. Users must:
You need a username and access token for FortiAuthenticator. The Configure FortiAuthenticator in GitLab. On your GitLab server:
Enable one-time password using FortiToken CloudYou can use FortiToken Cloud as a one-time password (OTP) provider in GitLab. Users must:
You need a Configure FortiToken Cloud in GitLab. On your GitLab server:
Set up a U2F deviceGitLab officially supports YubiKey U2F devices, but users have successfully used SoloKeys and Google Titan Security Key. U2F is supported by the following desktop browsers:
To set up 2FA with a U2F device:
A message displays indicating that your device was successfully set up. Select Register U2F Device to complete the process. Recovery codes are not generated for U2F devices. Set up a WebAuthn deviceWebAuthn supported by:
To set up 2FA with a WebAuthn-compatible device:
A message displays indicating that your device was successfully set up. Recovery codes are not generated for WebAuthn devices. Recovery codesIntroduced in GitLab 13.7, Copy codes and Print codes buttons. Immediately after successfully enabling 2FA with a one-time password, you’re prompted to download a set of generated recovery codes. If you ever lose access to your one-time password authenticator, you can use one of these recovery codes to sign in to your account. We recommend copying and printing them, or downloading them using the Download codes button for storage in a safe place. If you choose to download them, the file is called If you lose the recovery codes, or want to generate new ones, you can use either:
Regenerate two-factor authentication recovery codesTo regenerate 2FA recovery codes, you need access to a desktop browser:
Sign in with two-factor authentication enabledSigning in with 2FA enabled is only slightly different than the normal sign-in process. Enter your username and password and you’re presented with a second prompt, depending on which type of 2FA you’ve enabled. Sign in using a one-time passwordWhen asked, enter the pin from your one time password authenticator’s application or a recovery code to sign in. Sign in using a U2F deviceTo sign in by using a U2F device:
A message displays indicating that your device responded to the authentication request, and you’re automatically signed in. Sign in using a WebAuthn deviceIn supported browsers, you should be automatically prompted to activate your WebAuthn device (for example, by touching or pressing its button) after entering your credentials. A message displays indicating that your device responded to the authentication request and you’re automatically signed in. Disable two-factor authenticationTo disable 2FA:
This clears all your 2FA registrations, including mobile applications and U2F or WebAuthn devices. Recovery optionsIf you don’t have access to your code generation device, you can recover access to your account:
Use a saved recovery codeTo use a recovery code:
After you use a recovery code, you cannot re-use it. You can still use the other recovery codes you saved. Generate new recovery codes using SSHIf you forget to save your recovery codes when enabling 2FA, and you added an SSH key to your GitLab account, you can generate a new set of recovery codes with SSH:
After signing in, immediately set up 2FA with a new device. Have two-factor authentication disabled on your accountIf other methods are unavailable, have a GitLab support contact submit a support ticket to request a GitLab global administrator disable 2FA for your account:
Information for GitLab administrators
TroubleshootingError: “HTTP Basic: Access denied. The provided password or token …”When making a request, you can receive the following error:
This error occurs in the following scenarios:
Error: “invalid pin code”If you receive an
Can you turn off two factor authentication for Gmail?Open your Google Account. In the "Security" section, select 2-Step Verification. You might need to sign in. Select Turn off.
Why is there no option to turn off two factor authentication?If you're already using two-factor authentication with your Apple ID, you can't turn it off. If you updated to two-factor authentication inadvertently, you can turn it off within two weeks of enrollment. If you do, your account is less secure and you can't use features that require a higher level of security.
How can I access my Gmail account without verification code?Open the Google Account Settings > Security > 2-Step Verification and click on the Turn off button. Enter Google account password and click Enter to verify. That's it, this will deactivate 2-step verification allowing you to log in through any device without needing verification code.
|