### Problem to solve Currently, the only way to setup a U2F token without TOTP is to “trick” Gitlab into thinking we have a device set up with TOTP (for instance by using `oathtool` manually). ### Further details This is problematic for several reasons: - It is terrible UX: you have to guess you can “trick” the software, and manually invoke `oathtool`). - It results in documentation issues, like gitlab-ce#27677. - From a security perspective, forcing users to setup a less-secure authentication option (in particular, it is susceptible to phishing) doesn't make much sense. ### Proposal Allow users to activate 2FA by setting up TOTP *or* a U2F token. In either case, provide recovery tokens to regain control of the account. ### What does success look like, and how can we measure that? The feature is implemented, users can successfully set up U2F without TOTP. ### Links / references