Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [eclipse.org-committers] Enabling Two-Factor Authentication (2FA) on gitlab.eclipse.org

Parts of yesterday's message were ambiguous and raised some questions. To clarify, here is what will happen after the deadline:

After December 4th, anyone attempting to log into gitlab.eclipse.org will be required to set up two-factor authentication (2FA) before they can proceed. However, it's important to note that there will be no restrictions on activating 2FA after this deadline.

Also, check out some interesting questions on our help desk along with our answers, which you might find informative:


Thank you again for your support!

Mikaël Barbero 
Head of Security | Eclipse Foundation
Eclipse Foundation: The Community for Open Innovation and Collaboration



On Nov 28, 2023 at 18:04:35, Mikael Barbero <mikael.barbero@xxxxxxxxxxxxxxxxxxxxxx> wrote:
Dear Committers,

This is an urgent reminder from the Eclipse Foundation Security Team about the approaching deadline for Two-Factor Authentication enforcement on gitlab.eclipse.org. If you've already activated 2FA on gitlab.eclipse.org, you can safely ignore this email. 

The final deadline is next Monday, December 4th, 2023.

Critical Implications Post Deadline:

  • Loss of GitLab Access: After December 4th, you will not be able to log into gitlab.eclipse.org without 2FA.
  • Limited Helpdesk Support: Without 2FA, creating a helpdesk ticket for activation issues won't be possible.
  • Direct Contact Required: In case of problems with 2FA activation post-deadline, your only option will be to contact us directly at security@xxxxxxxxxxxxxxxxxxxxxx or webmaster@xxxxxxxxxxxxxxxxxxxxxx.

We have contacted projects within the https://gitlab.eclipse.org/eclipse group individually for specific discussions and timelines, through GitLab repository tickets.

Why It's Essential:
  • Enabling 2FA is critical for safeguarding your projects against unauthorized access and changes.

Actions You Need to Take Now:



Thank you for your immediate attention.

Best regards,

Mikaël Barbero 
Head of Security | Eclipse Foundation
Eclipse Foundation: The Community for Open Innovation and Collaboration



On Oct 13, 2023 at 11:13:19, Mikael Barbero <mikael.barbero@xxxxxxxxxxxxxxxxxxxxxx> wrote:

Dear committers,


The Eclipse Foundation Security Team would like to bring an important security update to your attention. Last August, we communicated that GitHub plans to enforce 2FA for all users by the end of the year. We aim to adopt a similar strategy on gitlab.eclipse.org.


We would like to stress that Two-Factor Authentication (2FA) on your developer accounts is one of the most effective ways to protect your code base from unauthorized changes. Read more about this.


Soon, we'll engage with projects hosted on gitlab.eclipse.org (specifically, those within the gitlab.eclipse.org/eclipse top-level group) to discuss 2FA enforcement timelines. This communication will be project-specific, through opening a ticket on projects’ GitLab repository and by emailing projects’ developer mailing list. While each project will be contacted individually, the enforcement timeline will remain consistent for all:

  • October 30th, 2023: 2FA will be activated for all groups under gitlab.eclipse.org/eclipse, with a grace period lasting one month. During the grace period, if 2FA isn't activated on your GitLab account, a banner will prompt you on the site to do so.

  • December 4th, 2023: The grace period concludes. If 2FA isn't activated by this date, your access to gitlab.eclipse.org will be limited, affecting your contribution to Eclipse Foundation projects.

We strongly encourage all committers to proactively activate 2FA on their gitlab.eclipse.org accounts, and not wait until the mandatory enforcement.


If you need assistance, feel free to initiate a help desk ticket. To set up 2FA on gitlab.eclipse.org, follow these instructions. For queries or if you encounter issues (like account lockout) during 2FA setup, contact us at security@xxxxxxxxxxxxxxxxxxxxxx or webmaster@xxxxxxxxxxxxxxxxxxxxxx.


Your commitment to maintaining the security of Eclipse Foundation projects is greatly appreciated. 


Cheers,

FAQ

How can I activate 2FA for my gitlab.eclipse.org account?


Details instructions are available. In a nutshell, visit https://gitlab.eclipse.org/-/profile/two_factor_auth and follow the on-screen instructions. 


Do I need to purchase a hardware token for account access?


No. GitLab supports two 2FA methods:

  • Time-based One Time Password (TOTP) compatible with mobile apps like Google Authenticator or Authy, and several password managers such as Bitwarden or 1Password.

  • WebAuthN, which necessitates a hardware token, typically a USB key (examples include Solo 2 key or Yubikey). These tokens are sometimes referred to as FIDO2 keys.


How will this affect my gitlab.eclipse.org accounts?


In the near future, 2FA will become mandatory for authentication on your accounts. Should you not have enrolled by the deadline we communicated to you, access to the platform will be restricted.


I already have 2FA enabled on gitlab.eclipse.org, do I need to do anything?


No, you’re all good.


What do I do if I lose my 2FA device?


We highly recommend the utilization of diverse secondary authentication methods. In the event that you misplace all your secondary authentication elements, recovery codes will be the only way to restore account access. By securely storing your recovery codes, you'll ensure the ability to regain access.


Note that the Eclipse IT team may be able to recover access to accounts with 2FA enabled if both the 2FA credentials and account recovery methods are lost. This will require extra identity verification and direct contact with security@xxxxxxxxxxxxxxxxxxxxxx or webmaster@xxxxxxxxxxxxxxxxxxxxxx.



Mikaël Barbero 
Head of Security | Eclipse Foundation
Eclipse Foundation: The Community for Open Innovation and Collaboration


Back to the top