summaryrefslogtreecommitdiff
path: root/doc/user/profile/account/two_factor_authentication.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/user/profile/account/two_factor_authentication.md')
-rw-r--r--doc/user/profile/account/two_factor_authentication.md158
1 files changed, 121 insertions, 37 deletions
diff --git a/doc/user/profile/account/two_factor_authentication.md b/doc/user/profile/account/two_factor_authentication.md
index dacb6c3a5a7..c25535cbf65 100644
--- a/doc/user/profile/account/two_factor_authentication.md
+++ b/doc/user/profile/account/two_factor_authentication.md
@@ -2,14 +2,14 @@
type: howto
stage: Manage
group: Access
-info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---
# Two-factor authentication
Two-factor authentication (2FA) provides an additional level of security to your
GitLab account. After being enabled, in addition to supplying your username and
-password to sign in, you'll be prompted for a code generated by your one-time
+password to sign in, you are prompted for a code generated by your one-time
password authenticator (for example, a password manager on one of your devices).
By enabling 2FA, the only way someone other than you can sign in to your account
@@ -18,24 +18,25 @@ password secret.
## Overview
-TIP: **Tip:**
+NOTE:
When you enable 2FA, don't forget to back up your [recovery codes](#recovery-codes)!
In addition to time-based one time passwords (TOTP), GitLab supports U2F
-(universal 2nd factor) and WebAuthn (experimental) devices as the second factor of authentication. Once
-enabled, in addition to supplying your username and password to log in, you'll
-be prompted to activate your U2F / WebAuthn device (usually by pressing a button on it),
-and it will perform secure authentication on your behalf.
+(universal 2nd factor) and WebAuthn (experimental) devices as the second factor
+of authentication. After being enabled, in addition to supplying your username
+and password to sign in, you're prompted to activate your U2F / WebAuthn device
+(usually by pressing a button on it) which performs secure authentication on
+your behalf.
-It is highly recommended that you set up 2FA with both a
-[one-time password authenticator](#one-time-password) or use [FortiAuthenticator](#one-time-password-via-fortiauthenticator)
-and a [U2F device](#u2f-device) or a [WebAuthn device](#webauthn-device), so you can still access your account
-if you lose your U2F / WebAuthn device.
+It's highly recommended that you set up 2FA with both a [one-time password authenticator](#one-time-password)
+or use [FortiAuthenticator](#one-time-password-via-fortiauthenticator) and a
+[U2F device](#u2f-device) or a [WebAuthn device](#webauthn-device), so you can
+still access your account if you lose your U2F / WebAuthn device.
## Enabling 2FA
-There are multiple ways to enable two-factor authentication: via a one time password authenticator
-or a U2F / WebAuthn device.
+There are multiple ways to enable two-factor authentication: by using a one-time
+password authenticator or a U2F / WebAuthn device.
### One-time password
@@ -62,8 +63,8 @@ To enable 2FA:
code** field.
1. Select **Submit**.
-If the pin you entered was correct, you'll see a message indicating that
-two-factor authentication has been enabled, and you'll be presented with a list
+If the pin you entered was correct, a message displays indicating that
+two-factor authentication has been enabled, and you're shown a list
of [recovery codes](#recovery-codes). Be sure to download them and keep them
in a safe place.
@@ -77,7 +78,7 @@ You can use FortiAuthenticator as an OTP provider in GitLab. Users must exist in
both FortiAuthenticator and GitLab with the exact same username, and users must
have FortiToken configured in FortiAuthenticator.
-You'll also need a username and access token for FortiAuthenticator. The
+You need a username and access token for FortiAuthenticator. The
`access_token` in the code samples shown below is the FortAuthenticator access
key. To get the token, see the `REST API Solution Guide` at
[`Fortinet Document Library`](https://docs.fortinet.com/document/fortiauthenticator/6.2.0/rest-api-solution-guide/158294/the-fortiauthenticator-api).
@@ -141,6 +142,86 @@ to run the following command:
Feature.enable(:forti_authenticator, User.find(<user ID>))
```
+### One-time password via FortiToken Cloud
+
+> - Introduced in [GitLab 13.7](https://gitlab.com/gitlab-org/gitlab/-/issues/212313).
+> - It's deployed behind a feature flag, disabled by default.
+> - It's disabled on GitLab.com.
+> - It's not recommended for production use.
+> - To use it in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-fortitoken-cloud-integration).
+
+WARNING:
+This feature might not be available to you. Check the **version history** note above for details.
+
+You can use FortiToken Cloud as an OTP provider in GitLab. Users must exist in
+both FortiToken Cloud and GitLab with the exact same username, and users must
+have FortiToken configured in FortiToken Cloud.
+
+You'll also need a `client_id` and `client_secret` to configure FortiToken Cloud.
+To get these, see the `REST API Guide` at
+[`Fortinet Document Library`](https://docs.fortinet.com/document/fortitoken-cloud/20.4.d/rest-api).
+
+First configure FortiToken Cloud in GitLab. On your GitLab server:
+
+1. Open the configuration file.
+
+ For Omnibus GitLab:
+
+ ```shell
+ sudo editor /etc/gitlab/gitlab.rb
+ ```
+
+ For installations from source:
+
+ ```shell
+ cd /home/git/gitlab
+ sudo -u git -H editor config/gitlab.yml
+ ```
+
+1. Add the provider configuration:
+
+ For Omnibus package:
+
+ ```ruby
+ gitlab_rails['forti_token_cloud_enabled'] = true
+ gitlab_rails['forti_token_cloud_client_id'] = '<your_fortinet_cloud_client_id>'
+ gitlab_rails['forti_token_cloud_client_secret'] = '<your_fortinet_cloud_client_secret>'
+ ```
+
+ For installations from source:
+
+ ```yaml
+ forti_token_cloud:
+ enabled: true
+ client_id: YOUR_FORTI_TOKEN_CLOUD_CLIENT_ID
+ client_secret: YOUR_FORTI_TOKEN_CLOUD_CLIENT_SECRET
+ ```
+
+1. Save the configuration file.
+1. [Reconfigure](../../../administration/restart_gitlab.md#omnibus-gitlab-reconfigure)
+ or [restart GitLab](../../../administration/restart_gitlab.md#installations-from-source)
+ for the changes to take effect if you installed GitLab via Omnibus or from
+ source respectively.
+
+#### Enable or disable FortiToken Cloud integration
+
+FortiToken Cloud integration is under development and not ready for production use.
+It is deployed behind a feature flag that is **disabled by default**.
+[GitLab administrators with access to the GitLab Rails console](../../../administration/feature_flags.md)
+can enable it.
+
+To enable it:
+
+```ruby
+Feature.enable(:forti_token_cloud, User.find(<user ID>))
+```
+
+To disable it:
+
+```ruby
+Feature.disable(:forti_token_cloud, User.find(<user ID>))
+```
+
### U2F device
> Introduced in [GitLab 8.9](https://about.gitlab.com/blog/2016/06/22/gitlab-adds-support-for-u2f/).
@@ -157,7 +238,7 @@ following desktop browsers:
- Firefox 67+
- Opera
-NOTE: **Note:**
+NOTE:
For Firefox 47-66, you can enable the FIDO U2F API in
[about:config](https://support.mozilla.org/en-US/kb/about-config-editor-firefox).
Search for `security.webauth.u2f` and double click on it to toggle to `true`.
@@ -170,9 +251,9 @@ To set up 2FA with a U2F device:
1. Click **Enable Two-Factor Authentication**.
1. Connect your U2F device.
1. Click on **Set up New U2F Device**.
-1. A light will start blinking on your device. Activate it by pressing its button.
+1. A light begins blinking on your device. Activate it by pressing its button.
-You will see a message indicating that your device was successfully set up.
+A message displays, indicating that your device was successfully set up.
Click on **Register U2F Device** to complete the process.
### WebAuthn device
@@ -208,23 +289,26 @@ To set up 2FA with a WebAuthn compatible device:
1. Select **Set up New WebAuthn Device**.
1. Depending on your device, you might need to press a button or touch a sensor.
-You will see a message indicating that your device was successfully set up.
+A message displays, indicating that your device was successfully set up.
Recovery codes are not generated for WebAuthn devices.
## Recovery codes
-NOTE: **Note:**
+NOTE:
Recovery codes are not generated for U2F / WebAuthn devices.
-CAUTION: **Caution:**
+WARNING:
Each code can be used only once to log in to your account.
-Immediately after successfully enabling two-factor authentication, you'll be
+Immediately after successfully enabling two-factor authentication, you're
prompted to download a set of generated recovery codes. Should you ever lose access
to your one-time password authenticator, you can use one of these recovery codes to log in to
your account. We suggest copying and printing them, or downloading them using
the **Download codes** button for storage in a safe place. If you choose to
-download them, the file will be called `gitlab-recovery-codes.txt`.
+download them, the file is called `gitlab-recovery-codes.txt`.
+
+The UI now includes **Copy codes** and **Print codes** buttons, for your convenience.
+[Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/267730) in GitLab 13.7.
If you lose the recovery codes or just want to generate new ones, you can do so
from the [two-factor authentication account settings page](#regenerate-2fa-recovery-codes) or
@@ -233,8 +317,8 @@ from the [two-factor authentication account settings page](#regenerate-2fa-recov
## Logging in with 2FA Enabled
Logging in with 2FA enabled is only slightly different than a normal login.
-Enter your username and password credentials as you normally would, and you'll
-be presented with a second prompt, depending on which type of 2FA you've enabled.
+Enter your username and password credentials as you normally would, and you're
+presented with a second prompt, depending on which type of 2FA you've enabled.
### Log in via a one-time password
@@ -246,19 +330,19 @@ recovery code to log in.
To log in via a U2F device:
1. Click **Login via U2F Device**.
-1. A light will start blinking on your device. Activate it by touching/pressing
+1. A light begins blinking on your device. Activate it by touching/pressing
its button.
-You will see a message indicating that your device responded to the authentication
-request and you will be automatically logged in.
+A message displays, indicating that your device responded to the authentication
+request, and you're automatically logged in.
### Log in via WebAuthn device
In supported browsers you should be automatically prompted to activate your WebAuthn device
(e.g. by touching/pressing its button) after entering your credentials.
-You will see a message indicating that your device responded to the authentication
-request and you will be automatically logged in.
+A message displays, indicating that your device responded to the authentication
+request and you're automatically logged in.
## Disabling 2FA
@@ -269,14 +353,14 @@ If you ever need to disable 2FA:
1. Go to **Account**.
1. Click **Disable**, under **Two-Factor Authentication**.
-This will clear all your two-factor authentication registrations, including mobile
+This clears all your two-factor authentication registrations, including mobile
applications and U2F / WebAuthn devices.
## Personal access tokens
When 2FA is enabled, you can no longer use your normal account password to
authenticate with Git over HTTPS on the command line or when using
-[GitLab's API](../../../api/README.md). You must use a
+the [GitLab API](../../../api/README.md). You must use a
[personal access token](../personal_access_tokens.md) instead.
## Recovery options
@@ -312,7 +396,7 @@ a new set of recovery codes with SSH:
ssh git@gitlab.example.com 2fa_recovery_codes
```
-1. You will then be prompted to confirm that you want to generate new codes.
+1. You are prompted to confirm that you want to generate new codes.
Continuing this process invalidates previously saved codes:
```shell
@@ -357,14 +441,14 @@ To regenerate 2FA recovery codes, you need access to a desktop browser:
1. If you've already configured 2FA, click **Manage two-factor authentication**.
1. In the **Register Two-Factor Authenticator** pane, click **Regenerate recovery codes**.
-NOTE: **Note:**
-If you regenerate 2FA recovery codes, save them. You won't be able to use any previously created 2FA codes.
+NOTE:
+If you regenerate 2FA recovery codes, save them. You can't use any previously created 2FA codes.
### Ask a GitLab administrator to disable two-factor authentication on your account
If you cannot use a saved recovery code or generate new recovery codes, ask a
GitLab global administrator to disable two-factor authentication for your
-account. This will temporarily leave your account in a less secure state.
+account. This temporarily leaves your account in a less secure state.
Sign in and re-enable two-factor authentication as soon as possible.
## Note to GitLab administrators
View Lorry Controller Status