GitLab - Disable 2FA for only one user in an organizaiton

Question

2FA authentication is enabled in our organization, meaning any user who logs into GitLab is prompted with 2FA. Recently, we had to create a Service Account for various business reasons. How could we disable 2FA only for the Service Account user.

Answer 1

Instead of trying to deactivate 2FA for a user, make sure that user has a PAT (Personal Access Token)

As explained in "Use personal access tokens with two-factor authentication"

When 2FA is enabled, you can’t use your password to authenticate with Git over HTTPS or the GitLab API.
You can use a personal access token instead.

Using the PAT as password allows the user to bypass the 2FA step.

Considering GitLab, and the access to npm registry, as per issue 9140, this (using a PAT) is not yet supported (Apr. 2022).

That meant (before issue resolution) you has to use a dedicated account without 2FA, possibly from a different organization which would exist solely for:

• hosting service accounts
• without 2FA (since 2FA would not be mandatory in that second organization)

That was certainly a workaround, but one which would allow you to wait for the resolution of the aforementioned GitLab issue.

However, the issue was resolved for GitLab 12.2 (Aug. 20219). See "npm packages in the Package Registry / Authenticate with a personal access token or deploy token".

---

Furthermore, with GitLab 15.2 (July 2022), you can make sure everybody does have 2FA.

Audit events when two-factor authentication is disabled

GitLab now records an audit event when a user disables their two-factor authentication (2FA) settings.

This audit event helps you ensure that all the users in your instance are properly using 2FA (and identify when the security of a user’s account has been lowered), so that you can investigate and take action.

See Documentation and Issue.