Use email otp as verification fallback for 2fa
What does this MR do and why?
Allow user to use email OTP as fallback verification for 2fa.
Part 2 for https://gitlab.com/gitlab-org/gitlab/-/issues/570174.
References
https://gitlab.com/gitlab-org/gitlab/-/issues/570174+s
Screenshots or screen recordings
| Scenario | Before | After | Note |
|---|---|---|---|
User only has 2FA enabled, but has email_otp_required_after set to nil
|
unchanged | Screen_Recording_2025-11-03_at_3.11.50_PM | the send email OTP link in the footer is not available because email_otp_required_after value does not satsify permission |
User only has 2FA enabled, but has email_otp_required_after set to the future |
unchanged | Screen_Recording_2025-11-03_at_3.13.40_PM | the send email OTP link in the footer is not available because email_otp_required_after value does not satisfy permission |
User only has 2FA enabled, but has email_otp_required_after set to the past |
email otp fallback is not available | Screen_Recording_2025-11-03_at_3.05.26_PM | the send email OTP link in the footer is available because email_otp_required_after value satisfies permission |
User has webAuthn enabled, but chooses to verify with 2FA while having email_otp_required_after set to nil
|
unchanged | Screen_Recording_2025-11-03_at_3.16.36_PM | send email OTP link in the footer is not available because email_otp_required_after value does not satisfy permission |
User has webAuthn enabled, but chooses to verify with 2FA while having email_otp_required_after set to the past |
email otp fallback is not available | Screen_Recording_2025-11-03_at_12.55.15_PM | the send email OTP link in the footer is available because email_otp_required_after value satisfies permission |
How to set up and validate locally
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Edited by Jennifer Li