summaryrefslogtreecommitdiff
path: root/doc/security
diff options
context:
space:
mode:
authorGabriel Mazetto <gabriel@gitlab.com>2015-12-24 18:58:46 -0200
committerGabriel Mazetto <gabriel@gitlab.com>2015-12-24 19:01:30 -0200
commit1249289f89feba725109ce769e685b07cf746e4b (patch)
tree6fca6541c5667a41a36b2824fe0053e14c5e74f5 /doc/security
parent6e3fb5024addf86d48c5723168f664d09d81a969 (diff)
downloadgitlab-ce-1249289f89feba725109ce769e685b07cf746e4b.tar.gz
Fixed codestyle and added 2FA documentationfeature/force-tfa
Diffstat (limited to 'doc/security')
-rw-r--r--doc/security/README.md1
-rw-r--r--doc/security/two_factor_authentication.md38
2 files changed, 39 insertions, 0 deletions
diff --git a/doc/security/README.md b/doc/security/README.md
index fba6013d9c1..384df570394 100644
--- a/doc/security/README.md
+++ b/doc/security/README.md
@@ -6,3 +6,4 @@
- [Information exclusivity](information_exclusivity.md)
- [Reset your root password](reset_root_password.md)
- [User File Uploads](user_file_uploads.md)
+- [Enforce Two-Factor authentication](two_factor_authentication.md)
diff --git a/doc/security/two_factor_authentication.md b/doc/security/two_factor_authentication.md
new file mode 100644
index 00000000000..4e25a1fdc3f
--- /dev/null
+++ b/doc/security/two_factor_authentication.md
@@ -0,0 +1,38 @@
+# Enforce Two-factor Authentication (2FA)
+
+Two-factor Authentication (2FA) provides an additional level of security to your
+users' GitLab account. Once enabled, in addition to supplying their username and
+password to login, they'll be prompted for a code generated by an application on
+their phone.
+
+You can read more about it here:
+[Two-factor Authentication (2FA)](doc/profile/two_factor_authentication.md)
+
+## Enabling 2FA
+
+Users on GitLab, can enable it without any admin's intervention. If you want to
+enforce everyone to setup 2FA, you can choose from two different ways:
+
+ 1. Enforce on next login
+ 2. Suggest on next login, but allow a grace period before enforcing.
+
+In the Admin area under **Settings** (`/admin/application_settings`), look for
+the "Sign-in Restrictions" area, where you can configure both.
+
+If you want 2FA enforcement to take effect on next login, change the grace
+period to `0`
+
+## Disabling 2FA for everyone
+
+There may be some special situations where you want to disable 2FA for everyone
+even when forced 2FA is disabled. There is a rake task for that:
+
+```
+# use this command if you've installed GitLab with the Omnibus package
+sudo gitlab-rake gitlab:two_factor:disable_for_all_users
+
+# if you've installed GitLab from source
+sudo -u git -H bundle exec rake gitlab:two_factor:disable_for_all_users RAILS_ENV=production
+```
+
+**IMPORTANT: this is a permanent and irreversible action. Users will have to reactivate 2FA from scratch if they want to use it again.**