2FA option: SMS phone code for account access

Problem to solve

Users often lose access to their two factor authentication (2FA) app, and will not have downloaded their codes. While we also allow resetting codes via SSH, but many users also don't have SSH keys.

Currently, on GitLab.com, if users lose access due to 2FA, they write into GitLab Support. It is a very time consuming process at the moment to deal with these because we need users to provide various information points and Support needs to verify it.

Intended users

GitLab.com users

Further details

Providing SMS or phone call code as an alternative to authenticator app codes is a very common option for SaaS products.

Alternate ways for users to be able to access their account has been discussed in gitlab-com/support/support-team-meta#1559 (closed) moving towards decreasing the number of tickets the team receives. See also https://gitlab.com/gitlab-com/support/support-team-meta/issues/1715

Proposal

Add an option on the 2FA settings page to add a phone number for SMS code: https://gitlab.com/profile/two_factor_auth

We can show/prefer U2F and authenticator app since they're more secure.

Documentation

Add a section to: https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html

What does success look like, and how can we measure that?

Decrease in 2FA tickets to GitLab Support.