Setting to completely disallow 2FA enrollment

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Proposal

GitLab should have a setting that allows admins of self-managed instances to completely disallow users from enrolling 2FA.

A customer states that their business case for such a request is:

The company has an official MFA solution that is managed and supported by an in-house team. Their GitLab instances are SAML-configured to use the company’s official MFA solution for GitLab sign-in. Users who have enabled GitLab 2FA in their GitLab accounts are using an unauthorized 2nd 2FA implementation on top of the company’s official MFA solution to sign into GitLab. For such users, they are using 2FA sign-in on top of 2FA sign-in, which is overkill. Users are not consistent when selecting the 2nd 2FA; some are using Google Authenticator, others Microsoft Authenticator, and so on… This presents support challenges when a user reports having GitLab sign-in issue when the 2nd 2FA is not working as supposed to be or has stopped working. This creates a resources and technical expertise burden to support whatever 2nd 2FA the user has selected.

In their environment, the main issue is that GitLab 2FA is considered to be a backdoor for users to deploy a 2FA solution not vetted and approved by the company.