2FA authentication is enabled in our organization, meaning any user who logs into GitLab is prompted with 2FA. Recently, we had to create a Service Account for various business reasons. How could we disable 2FA only for the Service Account user.
Instead of trying to deactivate 2FA for a user, make sure that user has a PAT (Personal Access Token)
As explained in "Use personal access tokens with two-factor authentication"
When 2FA is enabled, you can’t use your password to authenticate with Git over HTTPS or the GitLab API.
You can use a personal access token instead.
Using the PAT as password allows the user to bypass the 2FA step.
Considering GitLab, and the access to npm registry, as per issue 9140, this (using a PAT) is not yet supported (Apr. 2022).
That meant (before issue resolution) you has to use a dedicated account without 2FA, possibly from a different organization which would exist solely for:
hosting service accounts
without 2FA (since 2FA would not be mandatory in that second organization)
That was certainly a workaround, but one which would allow you to wait for the resolution of the aforementioned GitLab issue.
However, the issue was resolved for GitLab 12.2 (Aug. 20219).
See "npm packages in the Package Registry / Authenticate with a personal access token or deploy token".
Furthermore, with GitLab 15.2 (July 2022), you can make sure everybody does have 2FA.
Audit events when two-factor authentication is disabled
GitLab now records an audit event when a user disables their two-factor authentication (2FA) settings.
This audit event helps you ensure that all the users in your instance are properly using
2FA (and identify when the security of a user’s account has been lowered),
so that you can investigate and take action.
See Documentation and Issue.
Related
I am stuck at this issue while sending request for Azure Active Directory authentication from ASP.NET, using UserPasswordCredential, I get this error :
{
"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0000-c000-000000000000'
Note : MFA is enabled.
Does any one know why this issue occur ? how to ignore MFA authentication while authenticate from API side.
Is there any policy to handle MFA authentication?
The documentation for UsernamePasswordCredential Class clearly states this will not work:
Enables authentication to Azure Active Directory using a user's username and password. If the user has MFA enabled this credential will fail to get a token throwing an AuthenticationFailedException. Also, this credential requires a high degree of trust and is not recommended outside of prototyping when more secure credentials can be used.
For an alternative solution, please see the documentation on Managed identities for Azure resources.
For our B2C Tennant we want to let our customers make use of the Microsoft Authenticator app. When doing research, we noticed that it was not possible to add the Authenticator App for existing users without disabling phone/text message authentication.
This is not an acceptable situation for us since that means that someone with customer credentials can take over the enrolment flow.
A MS engineer suggested the following:
The desired situation should be possible with a “Registration
campaign” -
https://portal.azure.com/#blade/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/RegistrationCampaign
Users will go through their regular sign-in, perform multifactor
authentication as usual, and then be prompted to set up Microsoft
Authenticator.
However, we enabled this option as described in the Documentation, but after an existing user signs in no Authenticator App Flow is started.
Does someone have experience how we can make this work?
As far as I know, even after enabling MFA if existing users don't receive authenticator app approval, please try below steps:
There is a chance of where your users selected “Stay signed in” while logging into their accounts. By doing this their devices will be treated as remembered device that suspends enabling MFA.
While enabling MFA if you set Remember MFA on trusted device , then the user won't get prompts until the duration expires
To resolve the issue, try clearing all old sessions history, by enabling “Revoke MFA sessions”
If the issue still persists, try enabling Re-register MFA, that asks the users to set up a new MFA authentication method when they sign-in.
For more reference, please find the below links :
Enable multifactor authentication in Azure Active Directory B2C
Manage user authentication options
I am using Azure services and Azure AD Free (my personal account).
I have setup a tenant and I am Global Admin. I have enabled Security Default in the tenant. Hence, I assume MFA is enabled for all the tenant's users.
When I signin to Azure Portal with Global Admin sometime I get not prompted for MFA; maybe is this because the browser send a cookie? Or maybe because MFA is not always triggered?
Also, if I open an incognito window I get prompted for a code, received via email. My question here is why email? As per MFA AAD doc the email method is NOT an MFA channel!
Please check if below are the reasons behind not getting the prompt for second verification even MFA is enabled:
Please check if you are a member of any exception group. To avoid lockout situation, Microsoft mostly suggest excluding global admin account while enabling MFA. If you done like that, remove your account from exception group.
There is also a possibility where you selected checkbox saying “Stay signed in” while logging into your account. Then it will treat your device as remembered device and suspends enabling MFA. Also please check below screenshot whether you have enabled this option (Remember MFA on trusted device). If you enabled that, you won’t get prompts until the duration of days you have given expires.
To remove all those sessions, enable “Revoke MFA sessions” which clears all remembered sessions history and asks for second verification.
As you already mentioned, MFA code won’t be sent via email.
From this Microsoft Doc,
Email address is only used for Self-Service Password Reset (SSPR) not
for authentication.
There is also a possibility where your password is expired and it’s sending you a code to your email to reset it as you have given it as recovery option.
NOTE:
As you are enabling Security Defaults, please note that you won't be getting MFA prompts every time. Azure AD decides when a user will be prompted for MFA, based on factors such as location, device, role and task.
For suppose, if you are accessing from different location and seemed suspicious means, definitely you will get prompt otherwise you won't. If you need MFA prompts in particular, make use of Conditional access policies that need Azure AD Premium licenses.
When I try to push anything into my Gitlab repo, I'm being asked for a password, the thing is that I don't know if i'´s asking for my account password or a repository password. In either case I don't have a password for them because I was never prompted to create one.
I created my account by linking a Bitbucket account, which in turn is linked to my Gmail account.
Does Gitlab create a password for me automatically, like the username it creates off my email?
If you create your GitLab account by linking a Bitbucket account, which in turn is linked to your Google account, then your GitLab account's password is the same as your Google password.
This is referred to as Single sign-on (SSO):
Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems.
You could also use Google SSO to create an account on GitLab instead of using Bitbucket SSO. This has several advantages:
It's directly linked to your Google account, just like the Bitbucket account.
Maintains a 1-1 relationship between Google SSO and third-party Git hosting services.
There is one less SSO service you are dependent upon. By using Bitbucket SSO you are reliant on both Google SSO and Bitbucket SSO when signing into GitLab.
In short, it makes more sense to use a single SSO service rather than multiple services. Partially, that's where the name comes from.
I'd like to use 2FA on my account in the "classical" way. The current setup on Microsoft/Azure accounts looks like a security hole to me.
I signed up to Azure and needed a Microsoft account for that (the one used at login.live.com / account.live.com) When setting up 2FA I can choose between security key, app etc. I setup a security key and it works in general BUT I am still able to login with just the account name and password. I can also choose to use only the key for login. This is not how 2FA is supposed to work.
How can I either use name+password and then the hardware token (this it how it works for aws or google accounts) or just use the token without the possibility to downgrade the security to name+password.