Skip to content

GitLab Next

    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    • Menu
    Projects Groups Snippets
  • Get a free trial
  • Sign up
  • Login
  • Sign in / Register
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 42,950
    • Issues 42,950
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1,384
    • Merge requests 1,384
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar

GitLab 15.0 is launching on May 22! This version brings many exciting improvements, but also removes deprecated features and introduces breaking changes that may impact your workflow. To see what is being deprecated and removed, please visit Breaking changes in 15.0 and Deprecations.

  • GitLab.org
  • GitLabGitLab
  • Issues
  • #27211
Closed
Open
Created Mar 07, 2019 by Antony Saba@asaba🚨Contributor

Email notification for all new logins

Problem to solve

Without requiring multi-factor authentication for accounts, user accounts without MFA configured are susceptible to cred stuffing and brute force attacks. We can improve response to incidents and encourage MFA use through automated email alerts whenever a successful login occurs.

Target audience

This is really for all users, but using Sam as the requester of this feature.

  • Sam, Security Analyst, https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas#sam-security-analyst

Proposal

Suggested text:

Dear <user>

A new login to your account has been made from <IP>.  If you recently logged in and recognize the logged in location, you may disregard this email.  

If you did not recently log in, you should immediately change your password: <link and instructions to password change>.  Passwords should be unique and not used for any other sites or services.

<If no MFA enabled>
To further protect your account, consider configuring a multi-factor authentication method <link to 2fa instructions>.

Permissions and Security

The notification email should go to the email address configured as the user's notification email address.

Documentation

If these notifications are configurable per user or instance, that will need to be documented, but there is value in doing this for all logins as the MVC.

What does success look like, and how can we measure that?

The impact to accounts compromised due a leaked or stolen password is reduced, with less time elapsed before being reported by a user and increasing the effectiveness of support and security teams ability to investigate sooner.

Availability & Testing

What risks does this change pose to our availability?

This feature is low risk to GitLab.com's availability

How might it affect the quality of the product?

This will improve the product's security and therefore, its overall quality.

What additional test coverage or changes to tests will be needed?

Ensure that email is sent on:

  • New login from a new IP address and a new client

Ensure that email is NOT sent on:

  • New login from a previously used IP address and a previously used client
  • New login from a previously used IP address but a new client
  • New login from a new IP address but a previously used client
  • New login from a previously used IP and device but a new client
  • New impersonation session

Will it require cross-browser testing?

This will not be necessary as the core functionality being added in this issue is not FE heavy.

All tests can be covered at unit and feature level. No new end-to-end tests should be needed.

Links / references

Edited Apr 16, 2020 by Antony Saba
Assignee
Assign to
Time tracking