What's the deal with gitlab (and github?) security?

I just wanted to raise an issue (ie. report a bug) in some software package hosted on gitlab. I have a github account, but not a gitlab one.

Whenever I log in from a new device (github), I need to "authorize" the new device.
Now, I tried "logging in" on gitlab using the offered github account/password authentication.

I got the usual "confirm this email address" thing.

I did that.

Then it wanted my phone number!

At this point I gave up. Do they also need my social security number, date of birth and passport number? Maybe my mother’s maiden name?

What’s the need for all this two-factor-authentication level security?

Asked By: colinh


as it’s commonly said in security.stackexchange, Two factor authentication is worth it when one form of authentication is not enough or when it makes sense to have an added layer of Security.

what if someone find outs your password, they could delete your repos permanently without a way of getting it back, because git* assumes you are using 2fa for security so that if a person gets your password, they would also need the other part of the "puzzle". If you feel so bothered by that, you can always turn that off, but git* will nag you to turn it on for security purposes, you can use alternative methods of 2fa such as a yubikey that satisfies the "requirement" of 2fa

Answered By: cinemassacres
Categories: Answers Tags: , , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.