How to disable the Two-factor authentication in GitLab?

Question

i changed the gitlab server. On the old i had created a backup and now i had imported the backup into the new system. Everyting works!

Now i have the issue, that i can't login because of the Two-factor authentication. I think, that the secret salt changend.

This is the log:

Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]", "user"=>{"otp_attempt"=>"[FILTERED]"}}

Completed 500 Internal Server Error in 10ms (ActiveRecord: 0.9ms)

OpenSSL::Cipher::CipherError (bad decrypt):
app/controllers/sessions_controller.rb:95:in valid_otp_attempt?'
app/controllers/sessions_controller.rb:63:in authenticate_with_two_factor'

How can i disable the Two-factor authentication for one user?

greetings

Answer 1

With GitLab 15.2 (July 2022), there is now an official API endpoint:

(for the self-managed instance only, not for the SaaS gitlab.com one)

Disable user 2FA using API

Administrators can disable 2FA for specific users using the API. This is useful when a user has lost or forgotten their backup codes for their primary token generator.

After the administrator disables 2FA for that user, the user can set up 2FA from scratch.

See Documentation and Issue.

So:

Pre-requisite:

You must be an administrator.

Disables two factor authentication (2FA) for the specified user.

Administrators cannot disable 2FA for their own user account or other administrators using the API.
Instead, they can disable an administrator’s 2FA using the Rails console.

PATCH /users/:id/disable_two_factor

curl --request PATCH --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/users/1/disable_two_factor"

Answer 2

I realise that the OP is old but I have just encountered this for the first time and put together the following steps that enable resetting 2FA on a user's account:

1. Sign in as a Gitlab Admin.
2. Find the locked out user through the Admin\Users panel.
3. Reset the user's password to a temporary password (keep a copy).
4. Open the locked out user's profile.
5. In the top right corner click "Impersonate".
6. Now as the user click on "Edit Profile".
7. Click Accounts, click "Manage two factor authentication".
8. Enter the password from Step 3 and then either: a. Click "Disabled two-factor authentication" and let the user re-enable, or b. Click "Regenerate recovery codes" and pass these to the user.

In either case you'll also need to provide the new temporary password to the user.

Answer 3

I disable 2FA for a Gitlab Docker for all users with:

sudo -u git -H bundle exec rake gitlab:two_factor:disable_for_all_users RAILS_ENV=production

Answer 4

For anyone looking on how to disable 2FA only for a single user. I found a working solution to be:

User.where(username: "username_goes_here").each(&:disable_two_factor!)

Answer 5

Gitlab has updated the command to disable two-factor authentication for all users to this:

sudo gitlab-rails runner 'User.find_each(&:disable_two_factor!)'

@poldixd's answer should still work. If it doesn't try setting encrypted_opt_secret to nil instead of "".

Found this here: https://gitlab.com/gitlab-org/gitlab-ce/issues/1960

Answer 6

For a installation from source you can run

cd /home/git/gitlab
sudo -u git -H bundle exec rails console production

to get a rails console and then enter

User.update_all(otp_required_for_login: false, encrypted_otp_secret: nil, encrypted_otp_secret_iv: nil, encrypted_otp_secret_salt: nil, otp_backup_codes: nil)

to run the command.

Answer 7

This command turn of the Two-factor authentication for all users:sudo gitlab-rails runner 'User.update_all(otp_required_for_login: false, encrypted_otp_secret: "")'