14 votes

GitLab Support will no longer process MFA resets for free accounts as of August 15th, 2020 - make sure you have a valid backup recovery method set up

3 comments

  1. [3]
    acdw
    Link
    Well, I guess this is the good kick in the pants I needed to just move all my Gitlab and Github repos over to sourcehut or something. Probably just get rid of some of them. IDK.

    Well, I guess this is the good kick in the pants I needed to just move all my Gitlab and Github repos over to sourcehut or something. Probably just get rid of some of them. IDK.

    3 votes
    1. [2]
      jackson
      Link Parent
      Doesn't processing MFA resets for anonymous accounts (i.e. not banks) erode the purpose of MFA? If someone can just social engineer a support team into removing your authenticator, there's really...

      Doesn't processing MFA resets for anonymous accounts (i.e. not banks) erode the purpose of MFA? If someone can just social engineer a support team into removing your authenticator, there's really very little purpose to MFA.

      I save my recovery keys in a safe and use authy as my authenticator (which has e2e encrypted sync between devices), and am not at all concerned about this change.

      I think it's fair to keep resets for paid accounts because (1) they're paying for it, and (2) you can verify ownership using your payment details to authorize a $1 hold or something similar. Free accounts have no such authentication method.

      12 votes
      1. acdw
        Link Parent
        Hm, this is a good point. I think I was misunderstanding MFA resets as MFA authentication -- I don't need to reset my thing too much. Still need to move most things over though, just for my own...

        Hm, this is a good point. I think I was misunderstanding MFA resets as MFA authentication -- I don't need to reset my thing too much.

        Still need to move most things over though, just for my own sanity.

        1 vote