Enforce 2FA for GitLab administrators

Release notes

Problem to solve

There is no way to enforce 2FA requirement for GitLab user accounts with Administrator access.

I want to enforce 2FA requirement on all GitLab Administrator user accounts as an additional layer of security.

Intended users

User experience goal

GitLab systems administrators should be able to enforce 2FA for all GitLab administrator user accounts, ensuring that every admin must set up and use 2FA to access their accounts.

Proposal

Introduce a setting within the GitLab instance configuration that mandates 2FA for all administrator accounts. When this setting is enabled:

Existing administrators without 2FA will be prompted to set it up on their next login.
New administrators will be required to set up 2FA as part of their account setup process.

Further details

By enforcing 2FA for administrators, we add an extra layer of security that can prevent unauthorized access even if an attacker has the admin's password. This is crucial because administrators have the highest level of access and privileges on a GitLab instance.

Permissions and Security

Documentation

Update the GitLab documentation to include:

How to enable the "Mandatory 2FA for Admins" setting.
Steps for administrators to set up 2FA if they haven't already.

Availability & Testing

Unit test changes: Ensure that the new setting correctly identifies admins without 2FA and prompts them.
Integration test changes: Test the entire flow of an admin being prompted for 2FA setup when the setting is enabled.
End-to-end test change: Simulate the experience of an admin logging in after the setting is enabled and being prompted for 2FA setup.

Available Tier

All tiers. CE and EE.

Feature Usage Metrics

What does success look like, and how can we measure that?

Success is when GitLab systems administrators have an option to require 2FA for GitLab administrator accounts.