Enforcing 2FA on Gitlab Accounts
Dear project committers,
I would like to bring to your attention that the security team at the Eclipse Foundation will soon be requiring that accounts with committer privileges on gitlab.eclipse.org activate 2FA access control.
The plans, along with details on the importance of this change, have been shared on the committers mailing list.
As included in the announcement, we are opening this ticket to inform you and track the activation of 2FA on accounts belonging to this projects’ members.
To keep in mind, starting on on the 30th of October you’ll likely see a banner each time you access GitLab reminding you to activate 2FA in your account.
The deadline is December the 4th, by which access to your account will be limited until you activate 2FA. It is highly recommended that you enroll in this process before the deadline.
GitLab offers instructions on every step of the process and we’re happy to answer any question you might have.
Thank you!
/cc @mbarbero
FAQ
gitlab.eclipse.org account?
How can I activate 2FA for myDetailed instructions are available. In a nutshell, visit gitlab.eclipse.org/-/profile/two_factor_auth and follow the on-screen instructions.
If the form asks you for a password in order to set up 2FA on your account, this is not your Eclipse account’s password. It is a known bug on Gitlab that some accounts are requested a “local” password despite having one in the Active Directory.
You should request a password reset and use that same password for this form. This process does not change your Eclipse account password.
Do I need to purchase a hardware token for account access?
No. GitLab supports two 2FA methods: Time-based One Time Password (TOTP) compatible with mobile apps like Google Authenticator or Authy, and several password managers such as Bitwarden or 1Password. WebAuthN, which necessitates a hardware token, typically a USB key (examples include Solo 2 key or Yubikey). These tokens are sometimes referred to as FIDO2 keys.
gitlab.eclipse.org accounts?
How will this affect myIn the near future, 2FA will become mandatory for authentication on your accounts. Should you not have enrolled by the deadline we communicated to you, access to the platform will be restricted.
gitlab.eclipse.org, do I need to do anything?
I already have 2FA enabled onNo, you’re all good.
What do I do if I lose my 2FA device?
We highly recommend the utilization of diverse secondary authentication methods. In the event that you misplace all your secondary authentication elements, recovery codes will be the only way to restore account access. By securely storing your recovery codes, you'll ensure the ability to regain access.
Note that the Eclipse IT team may be able to recover access to accounts with 2FA enabled if both the 2FA credentials and account recovery methods are lost. This will require extra identity verification and direct contact with security@eclipse-foundation.org or webmaster@eclipse-foundation.org.