| [eclipse.org-committers] Enabling Two-Factor Authentication (2FA) on gitlab.eclipse.org |
Dear committers,
The Eclipse Foundation Security Team would like to bring an important security update to your attention. Last August, we communicated that GitHub plans to enforce 2FA for all users by the end of the year. We aim to adopt a similar strategy on gitlab.eclipse.org.
We would like to stress that Two-Factor Authentication (2FA) on your developer accounts is one of the most effective ways to protect your code base from unauthorized changes. Read more about this.
Soon, we'll engage with projects hosted on gitlab.eclipse.org (specifically, those within the gitlab.eclipse.org/eclipse top-level group) to discuss 2FA enforcement timelines. This communication will be project-specific, through opening a ticket on projects’ GitLab repository and by emailing projects’ developer mailing list. While each project will be contacted individually, the enforcement timeline will remain consistent for all:
October 30th, 2023: 2FA will be activated for all groups under gitlab.eclipse.org/eclipse, with a grace period lasting one month. During the grace period, if 2FA isn't activated on your GitLab account, a banner will prompt you on the site to do so.
December 4th, 2023: The grace period concludes. If 2FA isn't activated by this date, your access to gitlab.eclipse.org will be limited, affecting your contribution to Eclipse Foundation projects.
We strongly encourage all committers to proactively activate 2FA on their gitlab.eclipse.org accounts, and not wait until the mandatory enforcement.
If you need assistance, feel free to initiate a help desk ticket. To set up 2FA on gitlab.eclipse.org, follow these instructions. For queries or if you encounter issues (like account lockout) during 2FA setup, contact us at security@xxxxxxxxxxxxxxxxxxxxxx or webmaster@xxxxxxxxxxxxxxxxxxxxxx.
Your commitment to maintaining the security of Eclipse Foundation projects is greatly appreciated.
Cheers,
How can I activate 2FA for my gitlab.eclipse.org account?
Details instructions are available. In a nutshell, visit https://gitlab.eclipse.org/-/profile/two_factor_auth and follow the on-screen instructions.
Do I need to purchase a hardware token for account access?
No. GitLab supports two 2FA methods:
Time-based One Time Password (TOTP) compatible with mobile apps like Google Authenticator or Authy, and several password managers such as Bitwarden or 1Password.
WebAuthN, which necessitates a hardware token, typically a USB key (examples include Solo 2 key or Yubikey). These tokens are sometimes referred to as FIDO2 keys.
How will this affect my gitlab.eclipse.org accounts?
In the near future, 2FA will become mandatory for authentication on your accounts. Should you not have enrolled by the deadline we communicated to you, access to the platform will be restricted.
I already have 2FA enabled on gitlab.eclipse.org, do I need to do anything?
No, you’re all good.
What do I do if I lose my 2FA device?
We highly recommend the utilization of diverse secondary authentication methods. In the event that you misplace all your secondary authentication elements, recovery codes will be the only way to restore account access. By securely storing your recovery codes, you'll ensure the ability to regain access.
Note that the Eclipse IT team may be able to recover access to accounts with 2FA enabled if both the 2FA credentials and account recovery methods are lost. This will require extra identity verification and direct contact with security@xxxxxxxxxxxxxxxxxxxxxx or webmaster@xxxxxxxxxxxxxxxxxxxxxx.