How to stop Constant Verification?

I’m using a GitLab Free account. I continually get a message to verify my identity via an email message anytime I open the GitLab window in my browser. (Safari on a Mac usually but occasionally Firefox on a Windows machine) This happens every singe day, and often multiple times during the day. I have clicked on remember me (both boxes) every time. I do not have 2FA on.

The issue with this is that I access Gitlab on 3 different machines and am not always in the same location. My email is POP and only on one machine in my office. When I am not in the office I do not have access to it. Yet I need to access and use my GitLab account when out in the field.

Is there any way to turn off the irritating re-verification process? I trust that I have a secure password so I am ok with the risks of not having a second verification every time I log in.

1 Like

As per the blog: GitLab account security: Verify your information for enhanced protection

No you cannot, if you don’t want to do email verification every time, set up 2FA so that you can use your phone, Yubikey, etc as a 2FA method. Whilst you know your password is secure, Gitlab the application doesn’t.

As explained in the blog, it is forced and you cannot disable it. Alternatively, change your email associated with your account to one that you have that is accessible when you are not near your office computer. Like gmail, protonmail or whatever. If that isn’t an option, then you must add a 2FA option.

2 Likes

May be worth checking your cookie settings, you will get logged out whenever the cookies are cleared. I have GitLab cookies as “never clear” and am logged in for weeks at a time (pretty much only re-login on browser upgrade). I don’t have 2FA theatre enabled.

No options to set cookie settings in Safari other than to clear them or block or not block them. But as discussed above this is considered a “feature” not a bug and won’t be changed.

Not sure if this would work with setting up 2FA for Gitlab, but Safari Passwords now has an option to set up a verification code. I use this for signing on to forum.gitlab.com. After password verifies, the 2FA code prompt gets filled in with this code.

Then just tap to enter the code:

It would be nice if the Safari verification “device” could be used to work with Gitlab signon as well.

This is a usability disaster. GitHub handles this much better: Users can decide themselves whether they always want to use 2FA, and there is a dedicated sudo mode for critical actions such as making a repository visible. I do not want to check my emails or use an authenticator every time I want to star a repo or read a pull request. 2FA or email verification on GitLab.com should really be made optional.

4 Likes

Actually, Github is moving people to mandatory 2FA, so what you write is not true anymore. See: About mandatory two-factor authentication - GitHub Docs

This will most likely be enforced on a lot if not all websites at some point where a login is required, and it totally makes sense from a security point of view. That aside, Github is no different to Gitlab in this respect.

1 Like

GitLab needs to just ask users if they want this annoyance, and allow users to turn it off.

On the page you linked to, it says that is only

If you are in an eligible group

I’m not in an eligible group and mine was forced to 2FA on Github. It’s only a matter of time before it even gets to every other user account there as well.

Gitlab do not need to ask, it is their platform that they have to manage. They decide. If you don’t like that, you can install your own private server with Gitlab and then decide yourself if you do not want 2FA.

@iwalker Oh, you are right, my GitHub account is 2FA too. The difference though is that GitHub seems to do a much better job and detecting and remembering my device. Especially on my phone (Chrome on Android), GitHub remembers me even after several months, whereas GitLab.com asks for an email verification already after a few days since the last login.

I don’t know why this happens TBH. I certainly don’t have this issue with gitlab.com but I expect it could be certain IP’s/ISP IP ranges, more restricted browser settings than the defaults. I use Brave with default settings, and would expect Brave normally to throw up problems as it sometimes does for some sites, but it hasn’t for me anyway. The only thing I can think of is the IP ranges or browser settings.

I mean really, how dumb is this? First they force the master to “main” crap on us, now this?

Github also did this switching from master to main. You can configure Gitlab to use master, but only on your own Gitlab installation, not SaaS (gitlab.com). Basically most likely because of the master slave connotation. Apparently you also can no longer mention clusters as master/slave, but rather use ```active/standby`` instead in case anyone gets offended by it.