To strengthen security, GitLab will no longer allow Multi-Factor Authentication resets

Written about 2 months ago by IanDorfman

Since GitLab's implementation of 2-factor authentication, users that have lost access to their login code generators have been able to reset their multi-factor authentication settings regardless of if their account was free or premium. This is about to change.

In an official blog post, GitLab's Senior Support Engineering Manager Lyle Kozloff announced that account security is being shored up starting on August 15th, 2020. After this date, GitLab Support will not process any multi-factor authentication resets on free Small GitLab iconGitLab accounts.

Though free accounts will have no access to MFA resets, paid accounts that use a corporate email address will be able to request an MFA reset with a few caveats. Firstly, requests will take 3 business days at minimum to be processed. Secondly (and lastly), security challenges will be required in order to ensure the account belongs to you before MFA settings are reset.

Following the August 15th change, being unable to access your MFA login code generator will render your account inaccessible. GitLab recommends taking the following steps to prevent this from happening:

• Generate (or regenerate) recovery codes and store them in a secure location
• Use a hardware token whenever possible
• Add an SSH key to your account to allow the generation of backup codes

Further coverage:
GitLab Blog