From d650c3083719e14e74e5cf852bd9a6dd4fed81eb Mon Sep 17 00:00:00 2001 From: Evan Read Date: Wed, 5 Jun 2019 19:20:26 +0000 Subject: Clarify and improve 2FA configuration information --- .../two_factor_authentication_group_settings.png | Bin 19495 -> 0 bytes .../img/two_factor_authentication_settings.png | Bin 9936 -> 0 bytes doc/security/two_factor_authentication.md | 35 ++++++++++----------- 3 files changed, 16 insertions(+), 19 deletions(-) delete mode 100644 doc/security/img/two_factor_authentication_group_settings.png delete mode 100644 doc/security/img/two_factor_authentication_settings.png diff --git a/doc/security/img/two_factor_authentication_group_settings.png b/doc/security/img/two_factor_authentication_group_settings.png deleted file mode 100644 index 05d95554fd9..00000000000 Binary files a/doc/security/img/two_factor_authentication_group_settings.png and /dev/null differ diff --git a/doc/security/img/two_factor_authentication_settings.png b/doc/security/img/two_factor_authentication_settings.png deleted file mode 100644 index 2a2208f98bd..00000000000 Binary files a/doc/security/img/two_factor_authentication_settings.png and /dev/null differ diff --git a/doc/security/two_factor_authentication.md b/doc/security/two_factor_authentication.md index 4b65b901487..2ece4ed3fc9 100644 --- a/doc/security/two_factor_authentication.md +++ b/doc/security/two_factor_authentication.md @@ -16,39 +16,35 @@ enforce everyone to set up 2FA, you can choose from two different ways: - Enforce on next login. - Suggest on next login, but allow a grace period before enforcing. -In the Admin area under **Settings** (`/admin/application_settings`), look for -the "Sign-in Restrictions" area, where you can configure both. +After the configured grace period has elapsed, users will be able to log in but +won't be able to leave the 2FA configuration area at `/profile/two_factor_auth`. + +To enable 2FA for all users: + +1. Navigate to **Admin area > Settings > General** (`/admin/application_settings`). +1. Expand the **Sign-in restrictions** section, where you can configure both. If you want 2FA enforcement to take effect on next login, change the grace period to `0`. ---- - -![Two factor authentication admin settings](img/two_factor_authentication_settings.png) +## Enforcing 2FA for all users in a group ---- +If you want to enforce 2FA only for certain groups, you can: -## Enforcing 2FA for all users in a group +1. Enable it in the group's **Settings > General** page. +1. Optionally specify a grace period as above. -If you want to enforce 2FA only for certain groups, you can enable it in the -group settings and specify a grace period as above. To change this setting you -need to be administrator or owner of the group. +To change this setting, you need to be administrator or owner of the group. If there are multiple 2FA requirements (i.e. group + all users, or multiple groups) the shortest grace period will be used. ---- - -![Two factor authentication group settings](img/two_factor_authentication_group_settings.png) - ---- - ## Disabling 2FA for everyone There may be some special situations where you want to disable 2FA for everyone even when forced 2FA is disabled. There is a rake task for that: -``` +```sh # Omnibus installations sudo gitlab-rake gitlab:two_factor:disable_for_all_users @@ -56,5 +52,6 @@ sudo gitlab-rake gitlab:two_factor:disable_for_all_users sudo -u git -H bundle exec rake gitlab:two_factor:disable_for_all_users RAILS_ENV=production ``` -**IMPORTANT: this is a permanent and irreversible action. Users will have to - reactivate 2FA from scratch if they want to use it again.** +CAUTION: **Caution:** +This is a permanent and irreversible action. Users will have to +reactivate 2FA from scratch if they want to use it again. -- cgit v1.2.1