We would like to stress that Two-Factor Authentication (2FA) on your developer accounts is one of the most effective ways to protect your code base from unauthorized
changes.
Read more about this.
Soon, we'll engage with projects hosted on
gitlab.eclipse.org (specifically, those within the
gitlab.eclipse.org/eclipse top-level group)
to discuss 2FA enforcement timelines. This communication will be project-specific, through opening a ticket on projects’ GitLab repository and by emailing projects’ developer mailing list. While each project will be contacted individually, the enforcement
timeline will remain consistent for all:
-
October 30th, 2023: 2FA will be activated for all groups under
gitlab.eclipse.org/eclipse, with a grace period lasting one month. During the grace period, if 2FA isn't activated on your GitLab account, a banner will prompt you on the site to do so.
-
December 4th, 2023: The grace period concludes. If 2FA isn't activated by this date, your access to
gitlab.eclipse.org will be limited, affecting your contribution to Eclipse Foundation projects.
We strongly encourage all committers to proactively activate 2FA on their
gitlab.eclipse.org accounts, and not wait until the mandatory enforcement.
If you need assistance, feel free to initiate a
help desk ticket. To
set up 2FA on gitlab.eclipse.org, follow these
instructions.
For queries or if you encounter issues (like account lockout) during 2FA setup, contact us at
security@xxxxxxxxxxxxxxxxxxxxxx or
webmaster@xxxxxxxxxxxxxxxxxxxxxx.
Your commitment to maintaining the security of Eclipse Foundation projects is greatly appreciated.
Cheers,
FAQ
How can I activate 2FA for my
gitlab.eclipse.org account?
Details
instructions
are available. In a nutshell, visit https://gitlab.eclipse.org/-/profile/two_factor_auth
and follow the on-screen instructions.
Do I need to purchase a hardware token for account access?
No. GitLab supports two 2FA methods:
-
Time-based One Time Password (TOTP) compatible with mobile apps like Google Authenticator or Authy, and several password
managers such as Bitwarden or 1Password.
-
WebAuthN, which necessitates a hardware token, typically a USB key (examples include
Solo 2 key or
Yubikey). These tokens are sometimes referred to as FIDO2 keys.
How will this affect my
gitlab.eclipse.org accounts?
In the near future, 2FA will become mandatory for authentication on your accounts. Should you not have enrolled by the deadline we communicated to you, access to
the platform will be restricted.
I already have 2FA enabled on
gitlab.eclipse.org, do I need to do anything?
No, you’re all good.
What do I do if I lose my 2FA device?
We highly recommend the utilization of diverse secondary authentication methods. In the event that you misplace all your secondary authentication elements, recovery
codes will be the only way to restore account access. By securely storing your recovery codes, you'll ensure the ability to regain access.
Note that
the Eclipse IT team may be able to recover access to accounts with 2FA enabled if both the 2FA credentials and account recovery methods are lost. This will require extra identity
verification and direct contact with security@xxxxxxxxxxxxxxxxxxxxxx
or webmaster@xxxxxxxxxxxxxxxxxxxxxx.
Head of Security | Eclipse
Foundation