GitLab Support is no longer processing MFA resets for free users

Hi @lkozloff , yes I understand this BUT - if there is no better 2FA process (for e.g. from Google or the other). Or there is no connection between license and account this steps can be a trap for the companies only because the process of verification is not good.
But thank you very much for trying solve my issue. My ticket number is 187827 - under my account is only one license ID 122916 for our company - registered also to my mail. We are close to prolong license - because I need solve this issue.

Thank you once more

I am surprised that a policy change like this was made with only passive communication on your blog. This change has put my account in an orphaned state. Had extant MFA users been messaged about this potential outcome before the policy was enacted, I could have made assurances that I was not in this state.

Additionally, any ticket I have opened about this has been auto-responded and auto-closed. But I’m hoping to log in so I can migrate my formerly paid GitHub account’s repositories to GitLab with a paid account here. Is there a way to buy support on a locked account? I’d like to support GitLab over GitHub, if you’ll let me.

Right so I also need to chime in complaining about this policy. My problems are twofold:

• As someone else pointed out I’ve only found out about this policy when needing a 2FA reset . This is ridiculous, in order to adhere to good security practice I’ve enforced everyone in my company to have 2FA enabled. Just the smallest amount of information when clicking that tick box would have made sure everyone in my company has backup codes sorted out.
• We’re on free tier not to save money, but just because we don’t need anything on the higher tiers. Some base level of support we’d be happy to pay for. The argument about not being able to securely ‘know’ us just doesn’t wash with me. Ask us for identification. We’d be happy to give it or to pay a bit towards it.

As it is now I have dev locked out of her account because she’s needed to get a new phone. As another poster as said policies like this are enough to move teams elsewhere. We’re now looking at:

• Move all our projects elsewhere, migrate out CI files elsewhere
• Take the security risk that we could all be irreversibly locked out of our accounts
• Pay $99 per user per month ($2079 for us) just to have a base level of support

For self-hosted/managed, eg: gitlab-ce installed on your own server, it is possible to disable 2FA for yours users, providing you have an Admin login to that instance. For example, a new installation of Gitlab already has the root user as admin. So if I log in as root, I can then disable 2FA for my user myself, as shown below in the screenshot from selecting my user. Obviously if using gitlab.com then you cannot do this, but as a self-hosted, I can do it myself, or if I was not the administrator, then I could ask my Gitlab Admin to do it for me.

2fa1161×1177 49.3 KB

Yea we’re on Saas so not an option for us. I have seen about the ssh recovery codes which might save us in this instance (got the info after raising a support request in vain!).
However my point with the free plan still stands I think. As a company we’d happily pay $5/10 per user for decent support, we just don’t need the issue tracking so $99 is far too much.

I updated my phone and there was an error, so I ended up resetting my phone.There is no way to reset my authentication and lost my all work

This is a bigger issue than I think Gitlab realise. I understand the issue of “cost” of verifying free users, including not having much to verify them against. However, not only are you locked out of your data, you are also prevented from creating a new Gitlab account with the same email.
I think Gitlab needs to review this, and at the very least allow a way to “move away” the old locked account so that a new account with the same email can be created (and connected to things like Google login). We have an account that is now locked out of Gitlab, the user rarely needs to come to Gitlab and moved to a new phone, and even though our Google Workspace accounts are protected with 2FA, they can no longer login with Google to Gitlab, and are forced to create a new account with a different email to have access to our projects again.

This doesn’t encourage us to pay for Gitlab.com, rather to move all of the projects we currently have to Gitlab self hosted. We have many users who don’t need much access to our Gitlab projects, only doing a code review every 3-6 months, no commits etc. Paying for a license for these users adds up quickly (just so that when they lock themselves out of 2FA we can get it fixed for them)

And this sums it up perfectly:

Of the thousands and thousands of free users, how many are using MFA?

Of those using MFA, how many have ever requested an MFA reset?

Of those MFA reset requests, how many are inappropriately approved, that would have been stopped by this?

If you use a nice little application called “Authy”, it has backups, and provided you remember the backup password, you can install Authy on a new phone, and restore your backup. I also have Authy installed on two phones, one iPhone and one Android phone, and I can use it to get into my account. Then, there are absolutely no issues with problems when losing your phone, since you can just get another one, install Authy, and restore.

Or, also, use a Yubikey, which I also do, which means I can get into my account with either, 2FA code, or Yubikey. If I accidently lose my Yubikey or leave it at home, no problem, I have my phone with Authy.

I find Authy far better than Google Authenticator, because of this ability to restore later.

I also understand that Gitlab don’t want to offer support for free for resetting people’s accounts. And if you don’t want to pay, you can run your own Gitlab server and manage, maintain and support it yourself, and disable 2FA for your user accounts in the Admin panel when your users cannot get into their accounts. I question the reasoning for people who cannot be bothered to run their own server, and yet expect for their 2FA/MFA to be reset for free. If you are unwilling to be burdened with the costs of hosting yourself and managing your own server, why should Gitlab do it for you for free?

So you can run your own server, have the headaches and extra administration tasks. Or, if you want the easy way, stay on Gitlab SAAS with free accounts, and use Authy instead which you can easily restore and get back in when you lose your phone. Then you aren’t locked out of your data.