Two-factor Authentication (2FA) provides an additional level of security to yourGitLab account. Once enabled, in addition to supplying your username andpassword to login, you'll be prompted for a code generated by your one time passwordauthenticator. For example, a password manager on one of your devices.
By enabling 2FA, the only way someone other than you can log into your accountis to know your username and password and have access to your one time password secret.
Overview
TIP: Tip:When you enable 2FA, don't forget to back up your recovery codes!
In addition to time-based one time passwords (TOTP), GitLab supports U2F(universal 2nd factor) devices as the second factor of authentication. Onceenabled, in addition to supplying your username and password to log in, you'llbe prompted to activate your U2F device (usually by pressing a button on it),and it will perform secure authentication on your behalf.
It is highly recommended that you set up 2FA with both aone-time password authenticatorand a U2F device, so you can still access your accountif you lose your U2F device.
Enabling 2FA
There are two ways to enable two-factor authentication: via a one time password authenticatoror a U2F device.
Enable 2FA via one time password authenticator
To enable 2FA:
- In GitLab:
- Log in to your GitLab account.
- Go to your Profile settings.
- Go to Account.
- Click Enable Two-factor Authentication.
- On your device (usually your phone):
- Install a compatible application, like:
- Authenticator: open source app for iOS devices.
- andOTP: feature rich open source app for Android which supports PGP encrypted backups.
- FreeOTP: open source app for Android.
- Google Authenticator: proprietary app for iOS and Android.
- SailOTP: open source app for SailFish OS.
- In the application, add a new entry in one of two ways:
- Scan the code presented in GitLab with your device's camera to add theentry automatically.
- Enter the details provided to add the entry manually.
- Install a compatible application, like:
- In GitLab:
- Enter the six-digit pin number from the entry on your device into the Pincode field.
- Click Submit.
If the pin you entered was correct, you'll see a message indicating thatTwo-Factor Authentication has been enabled, and you'll be presented with a listof recovery codes. Make sure you download them and keep themin a safe place.
Enable 2FA via U2F device
GitLab officially only supports YubiKeyU2F devices, but users have successfully used SoloKeys.
The U2F workflow is supported by thefollowing desktop browsers:
- Chrome
- Edge
- Firefox (disabled by default)
- Opera
NOTE: Note:For Firefox, you can enable the FIDO U2F API inabout:config.Search for security.webauth.u2f and double click on it to toggle to true.
To set up 2FA with a U2F device:
- Log in to your GitLab account.
- Go to your Profile settings.
- Go to Account.
- Click Enable Two-Factor Authentication.
- Plug in your U2F device.
- Click on Set up New U2F Device.
- A light will start blinking on your device. Activate it by pressing its button.
You will see a message indicating that your device was successfully set up.Click on Register U2F Device to complete the process.
Recovery codes
NOTE: Note:Recovery codes are not generated for U2F devices.
CAUTION: Caution:Each code can be used only once to log in to your account.
Immediately after successfully enabling two-factor authentication, you'll beprompted to download a set of set recovery codes. Should you ever lose accessto your one time password authenticator, you can use one of them to log in toyour account. We suggest copying them, printing them, or downloading them usingthe Download codes button for storage in a safe place. If you choose todownload them, the file will be called gitlab-recovery-codes.txt.
If you lose the recovery codes or just want to generate new ones, you can do sofrom the two-factor authentication account settings page orusing SSH.
Logging in with 2FA Enabled
Logging in with 2FA enabled is only slightly different than a normal login.Enter your username and password credentials as you normally would, and you'llbe presented with a second prompt, depending on which type of 2FA you've enabled.
Log in via a one-time password
When asked, enter the pin from your one time password authenticator's application or arecovery code to log in.
Log in via U2F device
To log in via a U2F device:
- Click Login via U2F Device.
- A light will start blinking on your device. Activate it by touching/pressingits button.
You will see a message indicating that your device responded to the authenticationrequest and you will be automatically logged in.
Disabling 2FA
If you ever need to disable 2FA:
- Log in to your GitLab account.
- Go to your Profile settings.
- Go to Account.
- Click Disable, under Two-Factor Authentication.
This will clear all your two-factor authentication registrations, including mobileapplications and U2F devices.
Personal access tokens
When 2FA is enabled, you can no longer use your normal account password toauthenticate with Git over HTTPS on the command line or when usingGitLab's API. You must use apersonal access token instead.
Recovery options
To disable two-factor authentication on your account (for example, if youhave lost your code generation device) you can:
- Use a saved recovery code.
- Generate new recovery codes using SSH.
- Regenerate 2FA recovery codes.
- Ask a GitLab administrator to disable two-factor authentication on your account.
Use a saved recovery code
Enabling two-factor authentication for your account generated several recoverycodes. If you saved these codes, you can use one of them to sign in.
To use a recovery code, enter your username/email and password on the GitLabsign-in page. When prompted for a two-factor code, enter the recovery code.
Once you use a recovery code, you cannot re-use it. You can still use the otherrecovery codes you saved.
Generate new recovery codes using SSH
Users often forget to save their recovery codes when enabling two-factorauthentication. If an SSH key is added to your GitLab account, you can generatea new set of recovery codes with SSH:
Run:
ssh git@gitlab.example.com 2fa_recovery_codesYou will then be prompted to confirm that you want to generate new codes.Continuing this process invalidates previously saved codes:
Are you sure you want to generate new two-factor recovery codes?Any existing recovery codes you saved will be invalidated. (yes/no)yesYour two-factor authentication recovery codes are:119135e5a3ebce8e11f6v2a498810dcd3924c7ab2089c902e79a3398bfe4f22434bd7b74adbc8861f061691d5107df1a169bf32a18e63e7fb510e7422e81c94720dbed24c5e74663df9d3b9403b9c9f0During sign in, use one of the codes above when prompted for yourtwo-factor code. Then, visit your Profile Settings and add a new deviceso you do not lose access to your account again.Go to the GitLab sign-in page and enter your username/email and password.When prompted for a two-factor code, enter one of the recovery codes obtainedfrom the command-line output.
After signing in, visit your Profile settings > Account immediately to setup two-factor authentication with a new device.
Regenerate 2FA recovery codes
To regenerate 2FA recovery codes, you need access to a desktop browser:
- Navigate to GitLab.
- Sign in to your GitLab account.
- Go to your Profile settings.
- Select {account} Account > Two-Factor Authentication (2FA).
- If you've already configured 2FA, click Manage two-factor authentication.
- In the Register Two-Factor Authenticator pane, click Regenerate recovery codes.
NOTE: Note:If you regenerate 2FA recovery codes, save them. You won't be able to use any previously created 2FA codes.
Ask a GitLab administrator to disable two-factor authentication on your account
If you cannot use a saved recovery code or generate new recovery codes, ask aGitLab global administrator to disable two-factor authentication for youraccount. This will temporarily leave your account in a less secure state.Sign in and re-enable two-factor authentication as soon as possible.
Note to GitLab administrators
You need to take special care to that 2FA keeps working afterrestoring a GitLab backup.
To ensure 2FA authorizes correctly with TOTP server, you may want to ensureyour GitLab server's time is synchronized via a service like NTP. Otherwise,you may have cases where authorization always fails because of time differences.
The GitLab U2F implementation does not work when the GitLab instance is accessed frommultiple hostnames, or FQDNs. Each U2F registration is linked to the current hostname atthe time of registration, and cannot be used for other hostnames/FQDNs.
For example, if a user is trying to access a GitLab instance from
first.host.xyzandsecond.host.xyz:- The user logs in via
first.host.xyzand registers their U2F key. - The user logs out and attempts to log in via
first.host.xyz- U2F authentication succeeds. - The user logs out and attempts to log in via
second.host.xyz- U2F authentication fails, becausethe U2F key has only been registered onfirst.host.xyz.
- The user logs in via
Troubleshooting
If you are receiving an invalid pin code error, this may indicate that there is a time sync issue between the authentication application and the GitLab instance itself.
Most authentication apps have a feature in the settings for syncing the time for the codes themselves. For Google Authenticator for example, go to Settings > Time correction for codes.
