Continued Support for Login/Password Authentication?

I’m planning on switching our organization to GitLab from GitHub. The main motivation for doing this is GitHub’s decision to enforce token authentication for all authentication operations (no more cloning, pushing etc using login/password).

Just wanted to be sure before we make the move that there’s no talk to GitLab following suit. Anyone heard anything about this?


  • James

Not sure if it won’t be phased out, but to be honest, irrespective of if you use Gitlab or another solution, using tokens for authentication is a better option than passwords. Tokens can easily be revoked, and can even be configured for using only particular resources, whereas a password would have access to everything. Alternatively if not tokens, then SSH keys should be used instead of passwords.

If passwords, then 2FA should also be enabled for extra security to ensure you don’t lose access to your account.

Hi @jm1024, welcome to the GitLab Community forum! :tada:

There is no talk of entirely remove the ability for username/password basic HTTP authentication. This is not on the GitLab roadmap.

That said, I suggest enabling 2FA on any important accounts as a security best practice, and enabling 2FA will disable the option for basic username/password HTTP authentication for git operations. Additionally, using SSH keys for authorization instead of username/password provides additional security benefits. These are recommendations but not restrictions, so you can continue using username/password authentication for Git operations on for the foreseeable future.

If you choose to secure your account with username/password one-factor auth, I recommend using a strong, unique password.