[lkozloff]

Support Manager for GitLab here.

I appreciate this feedback, and you're right. We don't want folks to get themselves in a position where they lose access.

Our current language when you enable MFA is here: https://gitlab.com/gitlab-org/gitlab/-/blob/adc7dbeb387adc69...

> Should you ever lose your phone or access to your one time password secret, each of these recovery codes can be used one time each to regain access to your account. Please save them in a safe place, or you will lose access to your account.

We're directly emailing our most at risk users and are still processing resets in the mean time. Additionally, many users will see a CTA banner reminding them to regenerate their recovery codes if they haven't recently.

If there's anything else we can do - I'm happy to hear it! I've had to rely on recovery services in the past because of pure bad luck and a move to a new country, so we didn't take this decision lightly.

[geofft]

The safest option would be to prompt users next time they log in (or at least next time they use the site) and have them choose one of "Sounds great, please permanently enable MFA" or "Please disable MFA on my account for now." However, that'd probably leave you with a long tail of users (like, uh, myself) who use gitlab.com rarely and will be in the limbo state for months.

[Dayshine]

I made this post on the forums: https://forum.gitlab.com/t/gitlab-support-is-no-longer-proce...

In summary:

Please consider some kind of exemption for non-commercial open source projects over a certain size.

This change would force me to choose between unacceptable risk to my users, or severe impact on my hobby/life balance and mental health due to the extreme personal responsibility I would have to take to mitigate it.

It's already terrifying enough to publish applications that users run on their systems. If I make an error I can cause all sorts of harm. But at least I only have to worry about that when developing.

Now, if I enable MFA, I can never relax. If I lose my work MFA, there's a perfectly safe process to recover. If i lose my personal MFA it's a few hours of calling banks. If I lose my GitLab MFA I harm hundreds of people. So, I have to permanently vigilant for something I already give so much to for free.

[samanthalee233]

Thanks for your feedback, I'm a community advocate at GitLab and just wanted to point out that our team has responded to your forum post here: https://forum.gitlab.com/t/gitlab-support-is-no-longer-proce...

[true_religion]

I print my recovery keys and put them next to the title for my house. Now, unless the bank burns down they are safe.

If anything takes out both me and my bank, it’s taken out the whole city so I have more to worry about than just 2FA.