BigW Consortium Gitlab

two_factor_authentication.md 1.5 KB
Newer Older
1 2 3 4 5 6 7 8
# Enforce Two-factor Authentication (2FA)

Two-factor Authentication (2FA) provides an additional level of security to your
users' GitLab account. Once enabled, in addition to supplying their username and
password to login, they'll be prompted for a code generated by an application on
their phone.

You can read more about it here:
9
[Two-factor Authentication (2FA)](../profile/two_factor_authentication.md)
10 11 12 13 14 15 16 17 18 19 20 21 22

## Enabling 2FA

Users on GitLab, can enable it without any admin's intervention. If you want to
enforce everyone to setup 2FA, you can choose from two different ways:

 1. Enforce on next login
 2. Suggest on next login, but allow a grace period before enforcing.

In the Admin area under **Settings** (`/admin/application_settings`), look for
the "Sign-in Restrictions" area, where you can configure both.

If you want 2FA enforcement to take effect on next login, change the grace
23 24 25 26 27 28 29
period to `0`.

---

![Two factor authentication admin settings](img/two_factor_authentication_settings.png)

---
30 31 32 33 34 35 36

## Disabling 2FA for everyone

There may be some special situations where you want to disable 2FA for everyone
even when forced 2FA is disabled. There is a rake task for that:

```
37
# Omnibus installations
38 39
sudo gitlab-rake gitlab:two_factor:disable_for_all_users

40
# Installations from source
41 42 43
sudo -u git -H bundle exec rake gitlab:two_factor:disable_for_all_users RAILS_ENV=production
```

44 45
**IMPORTANT: this is a permanent and irreversible action. Users will have to
    reactivate 2FA from scratch if they want to use it again.**