Enforce 2FA for GitLab administrators
Release notes
Problem to solve
There is no way to enforce 2FA requirement for GitLab user accounts with Administrator access.
I want to enforce 2FA requirement on all GitLab Administrator user accounts as an additional layer of security.
Intended users
- Sidney (Systems Administrator)
- Amy (Application Security Engineer)
- Alex (Security Operations Engineer)
- Cameron (Compliance Manager)
User experience goal
GitLab systems administrators should be able to enforce 2FA for all GitLab administrator user accounts, ensuring that every admin must set up and use 2FA to access their accounts.
Proposal
Introduce a setting within the GitLab instance configuration that mandates 2FA for all administrator accounts. When this setting is enabled:
- Existing administrators without 2FA will be prompted to set it up on their next login.
- New administrators will be required to set up 2FA as part of their account setup process.
Further details
By enforcing 2FA for administrators, we add an extra layer of security that can prevent unauthorized access even if an attacker has the admin's password. This is crucial because administrators have the highest level of access and privileges on a GitLab instance.
Permissions and Security
Documentation
Update the GitLab documentation to include:
- How to enable the "Mandatory 2FA for Admins" setting.
- Steps for administrators to set up 2FA if they haven't already.
Availability & Testing
- Unit test changes: Ensure that the new setting correctly identifies admins without 2FA and prompts them.
- Integration test changes: Test the entire flow of an admin being prompted for 2FA setup when the setting is enabled.
- End-to-end test change: Simulate the experience of an admin logging in after the setting is enabled and being prompted for 2FA setup.
Available Tier
All tiers. CE and EE.
Feature Usage Metrics
What does success look like, and how can we measure that?
Success is when GitLab systems administrators have an option to require 2FA for GitLab administrator accounts.