I lost my TOTP key and recovery code

Hello,

I lost my TOTP key and recovery code due to a mistake with my password manager (Bitwarden).

The support can’t help me because I have a free account. (https://support.gitlab.com)

Should I give up my account? Have I lost it?

Thank you

Hi @jb10,

Support will sure help you out!

In the meanwhile, if you have SSH set up with GitLab! Try this

https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html#generate-new-recovery-codes-using-ssh

2 Likes

I don’t have SSH set up.

And no, the support don’t help:

" Hey there,

Thanks for contacting GitLab Support.

As of 2020-08-15 GitLab Support is no longer processing requests to disable two-factor authentication
for free accounts that do not have a GitLab.com subscription, to safeguard the security of our users. For more information about this change please see our post on the GitLab Blog. Please note that this ticket will automatically close itself out within 1 hour.

If you believe that you received this response in error and already have a
GitLab.com subscription, please reply with the organization or subscriber name and the
email address the subscription was purchased under.

For more information on our support policies and the community-driven support
resources available to you, please see our statement of support.

If you’re interested in purchasing a subscription, please see the pricing page
for information on pricing, features, and support response times for each subscription level.
You can also contact our sales team. "

1 Like

Oh wow! This is rude!

I’m afraid you have to consider your account lost, as it is explained in the link the support gave you: https://about.gitlab.com/blog/2020/08/04/gitlab-support-no-longer-processing-mfa-resets-for-free-users/

You can find some discussion about it here: GitLab Support is no longer processing MFA resets for free users

1 Like

Thank you

Great, I’ve lost my projects.The gitlab.com service really sucks.

Same thing happened to me with GitHub when I left a company due to mass layoffs. The keys were on their equipment so I lost my account.

Treat these things as a single point of failure. I’d rather take the security risk of a user/pass/email and still have access to my account even if something got hacked versus these keys where authoritarians won’t cooperate and you lose everything.

I can’t understand how anyone would think that getting hacked is worse than losing everything. It’s a technology that people have not fully checked out all failure scenarios to understand what the worst case consequences are.

2 Likes

Thanks to RGPD (Or GDPR), I managed to recover my data. So I have my projects and commits…

1 Like

The RGPD team is good. Too bad I can’t get my account back. Especially since I was able to recover my data…

1 Like

Hello
I was in the same situation two months ago, and the recovery with SSH request did not work.
I sent a request to the support and I had no answer.
But !!! I retry the SSH request today and it works ! (ssh git@gitlab.com 2fa_recovery_codes)
I got my account back.
I hope that it helps you, @jb10.
Arnaud

I suggest also installing an app called “Authy” and using this instead, since the app has a backup feature, and you can even use it on multiple phones/devices. So, if I lose my phone, no problem, I get another, install authy, restore using my backup password and I got my 2FA access.

Not all 2FA apps are great, I used to use Google Authenticator, but considering the Authy benefits, I don’t even need to download the recovery codes ever. I also use Yubikey, so I can get access to Gitlab with 2FA time-based codes, or Fido/U2F device as I connected both to my login.

For other apps that don’t offer this restore functionality, there was the option to save the recovery codes and print it out or other methods to store it, so an account can always be recovered by yourself if you took all the necessary precautions in the first place. But if you didn’t do this, then there is no one else to blame except yourself. Gitlab doesn’t have to give free support, when you could have guaranteed access to your account by doing all the previous mentioned steps.

Hi, execute this:

ssh git@gitlab.com 2fa_recovery_codes

In console with ssh key.

Hello , is it possible to pay and get support to reset the account when TOTP key and recovery code are lost ?

I’ve lost my projects too, all of them.

I am very sad and furious.

ok, that’s not a big deal… can we claim to disable or delete that account by contacting the GitLab support channel? so I can add my google authentication to a new account?

Thank you! The SSH recovery worked.

First I can’t agree more with @iwalker , get the “Authy” app for 2FA (two-factor) it is far better than any other app I’ve tried and would have helped me if I had used it for this but now I have GitLab in Authy as well

Anyone that is stumbling across this post like I did and has a user token setup (with the correct permissions) you can try this below. This worked for me after a bit of trial and error of figuring it out

# Create a RSA key and save it to a location you prefer with a name that is helpful.
# In my example I save it as /Users/dkittell/repo/GitLabKittell
# ssh-keygen -t rsa

userToken="<user token>"; # Put in your valid user token
gitServer="https://gitlab.com" # If on public GitLab keep this otherwise change to your server address
sshName="GitLabKittell" # This will be the name of the SSH Key that will show in GitLab Web GUI
sshKey=$(cat /Users/dkittell/repo/GitLabKittell.pub) # Make sure to put in the full path of the key pub

# Run this curl command with all the above constants in terminal and it should create the key for you provided you have a valid user token
curl -X POST -F "private_token=${userToken}" -F "title=${sshName}" -F "key=${sshKey}" "${gitServer}/api/v4/user/keys"

# Run this command (change the pub key path and remove the .pub) to create new recovery codes.
# Note: it will prompt you with a yes/no response
ssh -i /Users/dkittell/repo/GitLabKittell git@gitlab.com 2fa_recovery_codes
1 Like

@kittell Good to know that you can push the key via an already-configured a personal private token. Thanks for posting that! I’m sure it will be helpful for anyone else who might have this issue when they didn’t happen to add an SSH key to their account.

1 Like