2FA option: recovery PAT
Problem to solve
Users often lose access to their two factor authentication (2FA) app, and will not have downloaded their codes. While we also allow resetting codes via SSH, but many users also don't have SSH keys.
Currently, on GitLab.com, if users lose access due to 2FA, they write into GitLab Support. It is a very time consuming process at the moment to deal with these because we need users to provide various information points and Support needs to verify it.
Intended users
GitLab.com users
Further details
Allowing the use of a PAT as an alternative way to generate a 2FA code.
This would be similar to SSH.
Alternate ways for users to be able to access their account has been discussed in gitlab-com/support/support-team-meta#1559 (closed) moving towards decreasing the number of tickets the team receives. See also https://gitlab.com/gitlab-com/support/support-team-meta/issues/1715
SMS code option has also been proposed: https://gitlab.com/gitlab-org/gitlab-ce/issues/63280
Proposal
Add an option on the 2FA settings page to add an account recovery code: https://gitlab.com/profile/two_factor_auth
We can show/prefer U2F and authenticator app since they're more secure.
Documentation
Add a section to: https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html
and possibly a note in https://docs.gitlab.com/ce/user/profile/personal_access_tokens.html
What does success look like, and how can we measure that?
Decrease in 2FA tickets to GitLab Support.