Support U2F without TOTP
Problem to solve
Currently, the only way to setup a U2F token without TOTP is to “trick” Gitlab into thinking we have a device set up with TOTP (for instance by using oathtool
manually).
Further details
This is problematic for several reasons:
- It is terrible UX: you have to guess you can “trick” the software, and manually invoke
oathtool
). - It results in documentation issues, like gitlab-ce#27677.
- From a security perspective, forcing users to setup a less-secure authentication option (in particular, it is susceptible to phishing) doesn't make much sense.
Proposal
Allow users to activate 2FA by setting up TOTP or a U2F token. In either case, provide recovery tokens to regain control of the account.
What does success look like, and how can we measure that?
The feature is implemented, users can successfully set up U2F without TOTP.