16.3 Support Readiness - (Aug 16 release) Require email address confirmation if login meets high risk criteria

What is happening

Anti-Abuse is adding a requirement to send a code to a users email when the user is logging in from an IP address that they have never logged in from before or they have failed login 3 times in 24 hours (if they are not enrolled in 2FA). When a user is prompted to confirm their email address for the first time, they will be able to update it to a working email address.

Relevant blog: https://about.gitlab.com/blog/2023/08/08/gitlab-account-security/

https://gitlab.com/gitlab-org/gitlab/uploads/3e77479d783446b426b4c6a02dfb65ce/Screen_Recording_2023-07-27_at_10.58.24.mov

Status / What actions have been taken so far

We have released this twice before and have responded to user feedback each time. We recently announced that a user will need to update their email to a valid email address. That announcement was removed after 1 day. Given the reaction to the previous releases leadership has opted to move forward with releasing the feature without further announcement.

Timeline / Important Dates

This will be released Wednesday 16 August 2023.

Related Issues/MRs/Epics

• Issue/epic: Issue, Epic
• MR: https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/172
• Feature flag issue: gitlab-org/gitlab#385196 (closed)
• Feedback issue:
• Docs: https://docs.gitlab.com/ee/security/email_verification.html
• Blog post:

What impact will this have on users?

Users who do not have a valid email address will need to go through account ownership verification to re-gain access to their account.

What this may look like for Support

Anticipated Support Impact: Medium

What errors or messages users may report: Users may be logged out of their account if they do not have a valid email address.

What workarounds/solutions are available?: account ownership verification to re-gain access to their account

Do users need to be contacted?

No

DRIs/Contacts for questions and approvals for communications/action items

• Slack Channel: g_anti-abuse

• Product or Development DRI: @tmccaslin

• Security DRI (if applicable):

• Support DRI: @mgibsongl

• Engineering DRI: @jayswain

---

Support Resources

• FAQ for Support:
• Other resource:

User contact

1. Categorize provided list by free/paid (if necessary)
2. Message(s) to send to users created and approved by appropriate DRIs.
3. Pull list of contacts using the runbook
4. Send the message to the list of contact using the tickt generator form. Link to created issue:
5. In the above issue, add a note at the top of the description or a comment that all tickets should be tagged with the tag ``.

Zendesk Macros

Zendesk tag: ``

1. Macro MR:
   1. Macro adds appropriate tag
   2. Set DRIs as reviewers

Communication to Support team

1. Announced to team in
   1. #support_gitlab-com or #support_self-managed or #support_team-chat
   2. SWIR

---