Good - 2FA is the responsibility of the user and resetting it kind of invalidates the security it helps bring.<p>I think the bigger issue is that people's 2fa codes are still tied to their phone. You can lose your phone at any moment, which is why i've always disliked apps like Google Authenticator which don't let you export 2fa keys (for good reason).<p>I personally use 1password, but there's definitely room for a cloud storage solution that safely holds 2fa credentials
Is it just me, or does this make my MFA-protected account safer?<p>I wish conpanies offered this as a feature, in the sense I'm much more worried about someone SEing their way into my account rather than me losing access to all my MFA methods and backup codes or whatever.
Although framed as a security improvement, I'm sure it's also a massive support burden. When you have hundreds of thousands or millions of users, at some point you probably have support staff who do nothing but helping users reset their MFAs all day every day. It seems fair not to do this for free users. Some services gate MFA to paid accounts which seems like a worse trade-off.<p>With free users you also have less information available to you as a provider in determining if the reset request is legit or not.
For comparison, here's GH Policy:<p><a href="https://docs.github.com/en/github/authenticating-to-github/recovering-your-account-if-you-lose-your-2fa-credentials" rel="nofollow">https://docs.github.com/en/github/authenticating-to-github/r...</a><p>> Warning: For security reasons, GitHub Support may not be able to restore access to accounts with two-factor authentication enabled if you lose your two-factor authentication credentials or lose access to your account recovery methods.<p>I think it's hard to securely restore an account that is using MFA without being vulnerable to social engineering, SMS takeover, etc. If it's on a corporate account it's easy -- just talk to IT. But for semi-anonymous free accounts? I'm not sure what the expectation here is. What are some good strategies you've seen other providers take?
This seems to create an interesting security loophole. If someone figures out our GitLab password (i.e. by looking over our shoulder), they can just log in, enable MFA and we are locked out, forever.<p>Think about this. Any criminal who gets access to your Gitlab account can make it impossible for you to access it ever again.<p>If I used GitLab, I would seriously consider moving somewhere else.
There was a discussion about the topic of MFA resets on the Risky Business podcast[0] in which the host, Patrick Gray, suggested companies require a one time fee for MFA resets. I think the suggested amount in the show was $50 which seems reasonable enough for western markets. It creates a deterrent for attackers and in the case of free products like GitLab allows the support costs to be covered. Additionally the act of payment itself can help prove identity.<p>0: <a href="https://risky.biz/soapbox43/" rel="nofollow">https://risky.biz/soapbox43/</a>
I don't care how high up you are on your infosec high horse, but the likelihood and potential damage caused by a developer losing access to their 2F device is <i>far higher</i> in <i>nearly every scenario</i> than someone being hacked.<p>The only correct response to this is for companies to make it against internal policy for developers to enable 2FA. Which is sad.
This looks like a page that people would find <i>after</i> they lose access to their account permanently. There's a lot of CYA language here. Maybe they should have this at signup for MFA or force people to read next time they login.
I generally support not resetting MFA credentials, and understand where Gitlab is coming from, but wish there were an easier way for the average user. I think that easier way is getting two FIDO2 keys (they're pretty cheap and will get cheaper), and have one on your keychain and one at home, as a backup.
> If you are caught where you are not able to provide your MFA token and without these backup methods, your account will be irrecoverable.<p>This seems absurd. I vaguely remember another SaaS tool I used that had this policy, but I don’t understand it. Even crypto exchanges allow recovery if you lose all traditional recovery methods by submitting documentation like your scanned driver’s license among a couple other pieces of info proving you are who you are.<p>If you offer MFA, I love the idea of following best security practices for users recovering their accounts when losing MFA devices/tokens/etc., but there has to be a “best practice” that includes recovering an account after a due diligence process has been followed proving who a user is who she says if she lost all normal recovery methods.<p>Edit: It does look like they have a different, less “fatal” avenue to recover work related accounts (“What if this is a work account?“ FAQ), but I’d still be scared to host my FOSS repos there and make a mistake only to lose my account forever.
> I don’t like this and I want to tell someone.<p>I'm sure this is meant to come across as maybe slightly tongue-in-cheek, and is also meant to provide users an outlet they feel they can vent in productively, but... it reads as dismissive, and leaves me with the impression that they don't actually care to hear any feedback.
Isn't this why almost every site with 2FA support asks you to print out backup codes and keep them somewhere safe, and warns you that you won't be able to recover your account if you lose them? I thought this was standard practice. I'm surprised it seems to be so controversial.
Why not introduce a model where one who has lost their MFA keys pays something like, say, 50 $ to make up for the time the support team spends on the ticket?<p>Such a decision is something that would make me either leave the service, not trust it with anything important or not enable MFA.<p>(Side note, this is also valid for Google, Twitter, Facebook, AWS and other services that take pride in letting AI manage everything with no avenue of contacting a human with authority to override the AI)
As someone who had two phones break and loose my 2FA for github, this makes me sad<p>They were willing to help me - took a week but I got my account back
This makes sense. If it bugs you, just upgrade to a paid account. Being able to manually verify your identity in case of emergency is a real service and worth paying money for.
This is the right move. Get two u2f keys. Keep one on your person on your keys, keep the other in your car, at your parent's, or in a safe deposit box depending on your personal threat surface.
Side note - the SSH-based recovery mechanism is great and delightful. I happened to need a reset for salsa.debian.org and it saved me from bugging Debian's GitLab folks for support.
I wonder if services like Git..b would ever enable MFA based on ssh. That is, configure their endpoint to require both the key and the password to log in, push or fetch.
I think this is interesting in that the correct response as a user is to literally maintain a backup mirror gitlab account in case you lose access to your original one. What a bizarre change from a SaaS company who’s value proposition is to make things easier than doing them yourself.
This is a terrible idea which encourages people to use weak security: it's effectively telling people that if they enable MFA, GitLab will ensure that they suffer irrecoverable damages — but if they don't enable MFA, everything is recoverable. That is the opposite of what we want from a security perspective and it risks causing users to be less secure everywhere else because having seen that message will make them question whether they'll regret enabling MFA even on sites which have good security policies.<p>GitLab should respect the trust that users place in it and account account for the kind of life events which happen to people every day: houses get flooded or burned, safes are burgled, people have to leave abusive situations in a hurry and may be escaping household members who actively try to sabotage them, people die without having made perfect handover plans (especially relevant this year), etc. Of particular interest, consider why the browser manufacturers reversed course on HTTPS key pinning after seeing attackers successfully use it to prevent legitimate users from regaining control — if implemented, this would make it extremely risky to use GitLab because everyone would be one compromise away from an attacker having permanent control of your account — and that would make GitLab look extremely bad for having put themselves in the position of supporting the attacker _unless_ you pay GitLab money (I am certain this is not the _intention_ but it is definitely how it would look to say that FOSS developers are second-class).<p>There are a number of fallback techniques which can make most of those situations recoverable, and it's okay if they're slow or inconvenient — nobody complains that their airbags are messy. Some ideas:<p>1. Have a process where someone can use a trusted third-party to verify identity: for example, register identifiers (drivers license, passport, etc.) and have a form which can be notarized after checking ID and mailed in. It's slow but that works even in the “I lost everything I wasn't wearing” scenario — and if you did just lose your house to a natural disaster or flee an abusive ex, you probably have bigger concerns than getting control of your GitLab identity back in less than a week.<p>2. Configure next-of-kin / trusted friends who can approve a reset request, perhaps requiring more than one.<p>3. Allow the user to configure some number of IdPs to approve an unlock, increasing the level of compromise that an attacker would need to hit before getting the ability to perform a reset. There are drawbacks to this approach but most people do not have threat models which are meaningfully resistant against someone who can compromise multiple of {Apple, Google, Facebook, Microsoft, login.gov, etc.} and could be pretty effective combined with a time-delay (e.g. send notifications for n days before actually resetting MFA.
I agree, but having worked in SaaS, and done a lot of partnerships, Microsoft has infinite leverage to turn something like MFA services into a co-branding exercise that pays for itself.
The free internet services model is fundamentally broken. It's just not sustainable that good service can be offered for free.<p>Where do you get free groceries, fee petrol/gas or anything else?
Exactly just use a password no one is trying to hack your stuff, and the biggest risk is you.<p>So sick of services that constantly tell me to use MFA.<p>No I don’t want to and if I thought the service was that important I would use it.