GitLab Support is no longer processing MFA resets for free users

Hi @lkozloff , yes I understand this BUT - if there is no better 2FA process (for e.g. from Google or the other). Or there is no connection between license and account this steps can be a trap for the companies only because the process of verification is not good.
But thank you very much for trying solve my issue. My ticket number is 187827 - under my account is only one license ID 122916 for our company - registered also to my mail. We are close to prolong license - because I need solve this issue.

Thank you once more

I am surprised that a policy change like this was made with only passive communication on your blog. This change has put my account in an orphaned state. Had extant MFA users been messaged about this potential outcome before the policy was enacted, I could have made assurances that I was not in this state.

Additionally, any ticket I have opened about this has been auto-responded and auto-closed. But I’m hoping to log in so I can migrate my formerly paid GitHub account’s repositories to GitLab with a paid account here. Is there a way to buy support on a locked account? I’d like to support GitLab over GitHub, if you’ll let me.

Right so I also need to chime in complaining about this policy. My problems are twofold:

• As someone else pointed out I’ve only found out about this policy when needing a 2FA reset . This is ridiculous, in order to adhere to good security practice I’ve enforced everyone in my company to have 2FA enabled. Just the smallest amount of information when clicking that tick box would have made sure everyone in my company has backup codes sorted out.
• We’re on free tier not to save money, but just because we don’t need anything on the higher tiers. Some base level of support we’d be happy to pay for. The argument about not being able to securely ‘know’ us just doesn’t wash with me. Ask us for identification. We’d be happy to give it or to pay a bit towards it.

As it is now I have dev locked out of her account because she’s needed to get a new phone. As another poster as said policies like this are enough to move teams elsewhere. We’re now looking at:

• Move all our projects elsewhere, migrate out CI files elsewhere
• Take the security risk that we could all be irreversibly locked out of our accounts
• Pay $99 per user per month ($2079 for us) just to have a base level of support

For self-hosted/managed, eg: gitlab-ce installed on your own server, it is possible to disable 2FA for yours users, providing you have an Admin login to that instance. For example, a new installation of Gitlab already has the root user as admin. So if I log in as root, I can then disable 2FA for my user myself, as shown below in the screenshot from selecting my user. Obviously if using gitlab.com then you cannot do this, but as a self-hosted, I can do it myself, or if I was not the administrator, then I could ask my Gitlab Admin to do it for me.

2fa1161×1177 49.3 KB

Yea we’re on Saas so not an option for us. I have seen about the ssh recovery codes which might save us in this instance (got the info after raising a support request in vain!).
However my point with the free plan still stands I think. As a company we’d happily pay $5/10 per user for decent support, we just don’t need the issue tracking so $99 is far too much.

I updated my phone and there was an error, so I ended up resetting my phone.There is no way to reset my authentication and lost my all work

This is a bigger issue than I think Gitlab realise. I understand the issue of “cost” of verifying free users, including not having much to verify them against. However, not only are you locked out of your data, you are also prevented from creating a new Gitlab account with the same email.
I think Gitlab needs to review this, and at the very least allow a way to “move away” the old locked account so that a new account with the same email can be created (and connected to things like Google login). We have an account that is now locked out of Gitlab, the user rarely needs to come to Gitlab and moved to a new phone, and even though our Google Workspace accounts are protected with 2FA, they can no longer login with Google to Gitlab, and are forced to create a new account with a different email to have access to our projects again.

This doesn’t encourage us to pay for Gitlab.com, rather to move all of the projects we currently have to Gitlab self hosted. We have many users who don’t need much access to our Gitlab projects, only doing a code review every 3-6 months, no commits etc. Paying for a license for these users adds up quickly (just so that when they lock themselves out of 2FA we can get it fixed for them)

And this sums it up perfectly:

Of the thousands and thousands of free users, how many are using MFA?

Of those using MFA, how many have ever requested an MFA reset?

Of those MFA reset requests, how many are inappropriately approved, that would have been stopped by this?

If you use a nice little application called “Authy”, it has backups, and provided you remember the backup password, you can install Authy on a new phone, and restore your backup. I also have Authy installed on two phones, one iPhone and one Android phone, and I can use it to get into my account. Then, there are absolutely no issues with problems when losing your phone, since you can just get another one, install Authy, and restore.

Or, also, use a Yubikey, which I also do, which means I can get into my account with either, 2FA code, or Yubikey. If I accidently lose my Yubikey or leave it at home, no problem, I have my phone with Authy.

I find Authy far better than Google Authenticator, because of this ability to restore later.

I also understand that Gitlab don’t want to offer support for free for resetting people’s accounts. And if you don’t want to pay, you can run your own Gitlab server and manage, maintain and support it yourself, and disable 2FA for your user accounts in the Admin panel when your users cannot get into their accounts. I question the reasoning for people who cannot be bothered to run their own server, and yet expect for their 2FA/MFA to be reset for free. If you are unwilling to be burdened with the costs of hosting yourself and managing your own server, why should Gitlab do it for you for free?

So you can run your own server, have the headaches and extra administration tasks. Or, if you want the easy way, stay on Gitlab SAAS with free accounts, and use Authy instead which you can easily restore and get back in when you lose your phone. Then you aren’t locked out of your data.

@ralfaro I want to pay for a license to get support for solving a problem with 2FA.

How can I do this if I cannot login?

thank you!
I’ve lost my projects, all of them.
For some reason, my phone and SSH key were lost. Now I can’t reset my account and MFA.
so why not consider the problems that arise in extreme situations？I can’t understand.

I’ve just had a member of my work group get hit by this issue as she was using Google Authenticator to store the 2FA token. We didn’t know about this change in ability to reset the token. I’d echo what others have said above about this change disincentivizing 2FA enrolment.

From a post on 14th January above, it’s mentioned that the billing information is used to verify a user. We’ve previously been a paid group and have recently bought CI credits, so we do have active billing information in our group. Is this enough for us to get her account verified? If not, what’s the different between our situation where we do have active billing information, and a paid account? From my understanding of that post, it sounds like we should be OK here, but it only mentions paid accounts.

Because of this change I now can’t access my account I’ve had for years, whose 2fa codes have been lost to time. Thanks.

The icing on the cake is that there’s not even a legitimate reason provided to do this. This feels like you’re scamming unlucky and desperate users out of money to get access to their account back. Bad practices all around.

tag me when this is fixed.

image1114×704 85.8 KB

image1118×829 98.3 KB

Like someone else in the above thread said, I’d rather my account be at risk of an attacker and be able to do something about it, than nobody able to access it.

So basically since I don’t have a paid account, you guys are saying I’m not worth the trouble of assisting in getting my account back? I don’t even have the option to somehow become a paid member so that you can lift your finger and help me recover my account?

Understand this GitLab, I used you guys for many many years and always preferred your open-source environment over GitHub, but ever since I lost my old phone, and with it my GitLab account, I have 100% switched over to GitHub. They even offer private repos for free accounts now, not that it matters, however, because I’m happy to be a paid PRO member on GitHub because their website & support isn’t complete crap…

So yeah, good move guys. You’ve lost me as a user & potential customer forever, and I’m sure I’m not the only one. Hope it works out for you guys…

~ Peace

Exactly… and this is exactly why everyone is going to be switching to GitHub or self-hosted solutions. GitLab is seriously shooting themselves in the foot. Oh well…

~ Peace

@digitalnomad91 I suggest you test Github recovering your account when its protected with 2fa and you lose your phone. Quote from their support page:

Warning : For security reasons, GitHub Support may not be able to restore access to accounts with two-factor authentication enabled if you lose your two-factor authentication credentials or lose access to your account recovery methods.

So same as with Gitlab when a free user. Had you uploaded an ssh key to your account you could have gotten your recovery codes and unblocked 2fa on your Gitlab account. But if you think you feel safer with Github free account good luck

I did upload an SSH key, but it’s to a server I no longer have. I still have an access token and I was actually able to add my new keys using curl & the API’s with my access token, but it appears that the 2fa unlock mechanism is taking into account when the keys were added… The point I was making though, is that GitLab is not giving me any other choice here. I actually pay GitHub for a pro account, and I would be happy to do so with GitLab, but they aren’t even giving me that option. Apparently, if you lose your phone and can’t unlock it with an old SSH key then I guess you’re just not wanted as a customer/user by GitLab.

Thankfully I was able to download all of my old repos from GitLab using my SSH key, and I’ve already gone ahead and restored them onto my pro GitHub account. Had I been given the option to upgrade my account in order to help me restore it, I surely would have taken that option. I’m also sure I’m not the only one that has dealt with a similar scenario.

And as far as “feeling safer” on GitHub goes, not sure why one would be any less safe than the other? Unless you take the fact that GitLab is unwilling to assist you if can’t get past 2fa. Or that one time GitLab was majorly hacked and lost a ton of repositories & data… permanently…

Guess I’m not wanted here anymore, oh well.

~ Peace

And what I was saying was having a free account on Github is no different to Gitlab. Unless you have paid subscription on either, then you have virtually no possibility of getting your account unlocked by either support teams. So saying Github is better in this respect is false, since it’s the same situation that you had with Gitlab. Had you had a free account on Github and attempted to get it unblocked, you would have been in exactly the same situation. Had you had a paid Gitlab account before getting blocked, then you wouldn’t have a problem. Since you have just done this with Github, so you see exactly where the problem is, because you don’t want to get locked out of your account on Github so paid before enabling 2fa just in case you ended up in the same situation as now.

That said, use authy app for 2fa since you can create backups with it and restore it on a new phone. That way these issues no longer exist and your account is always recoverable even without support. I even use authy on two different phones so if one phones dies and I dont have a charger I can still login using the other phone. Set up on first phone then restore on the second one.

That’s incorrect. I recently had to change my phone because my phone stopped working. Sadly, I did not have recovery codes for github as well as gitlab. And github has the user service that will send a recovery mail within 3 days. But gitlab does not have that. In that sense, github is better than gitlab, for free accounts

I hope there’s a plan for free users though, it would hurt just to lose the account because of lost recovery keys. Tried to use Gitlab account today after a while and met 2FA screen, and dont have authy setup on my brand new phone.

If the account is now deemed irrecoverrable can it be deleted then, in order to create a new one. Or it just means creating another account under a different email?