Make 2FA Mandatory for GitLab Users within a specified period of time
Background
Recently, some companies are mandating the use of 2FA for their customers.
- Salesforce implemented this in Feb 2022.
- GitHub will have 2FA mandatory by the end of 2023 for certain audiences.
Proposal
If a user is using GitLab's internal identity mechanisms, make 2FA mandatory if they are not currently using it.
We'd be looking to do this in a phased rollout, offering our customers in-app notifications, e-mail notifications, and countdowns on when 2FA will be enforced. At the last step, a user will not be able to log in unless they set up their second factor.
Open Questions / Concerns
- Support Impacts
We do not currently support MFA resets on our free tier. If we are forcing users to use 2FA but cannot support the recovery once they lose access, this seems like an unfair thing to do. Maybe we can't enforce it for free users? Maybe we offer recovery support?
- Audience
Do we require this of all users, or only ones with a certain role or credential set? For example, if someone has SSH keys, if they lose their second factor, they can recover it themselves. If someone has an elevated role, like Owner or Maintainer, the security benefit to mandatory 2FA is greater.
- Why
I wouldn't be a Product Manager if I didn't question this. Is "because everyone else is doing it" the reason? I think it's also a way we can convey that we care about security, but the vast majority of Enterprise customers are using an IdP and even if we make 2FA mandatory, we can only make it mandatory for those using GitLab's internal identity (not an IdP). My honest opinion is that it's a bit of a thing that sounds good, but I'm not sure the real impact it will have. Especially weighed against an increased Support burden.
I think we need to better cover our "why" and what we as a company are hoping to get out of this before we devote the time and resources to it. It will require careful planning and roll out.