Recommend DataPLANT 2FA

[Brilator]

KeyCloak comes with 2FA and if I'm not mistaken there's a reason why this is recommended over the 2FA offered inside the hub.

I would suggest to disable the 2FA inside DataHUB or link / recommend to keycloak from there with an explanation.

[j-bauer]

That's definitely the way to go. We need to check how to disable the 2FA functionality in the DataHUB and point to the Keycloak-based 2FA setup page. @TetraW could you have a look at how to do that?

[TetraW]

That's definitely the way to go. We need to check how to disable the 2FA functionality in the DataHUB and point to the Keycloak-based 2FA setup page. @TetraW could you have a look at how to do that?

Yes, I will look into it!

EDIT: It looks like it is possible to deactivate 2FA globally for all users, using GitLab Rake tasks (https://docs.gitlab.com/16.11/ee/security/two_factor_authentication.html#for-all-users), I will look into it further in the next days together with an update to the current GitLab version (16.11.1).

[Brilator]

Perfect, thanks.
Then maybe just add a banner or auto-email to those users who currently use 2FA via GitLab.

[TetraW]

@Brilator @j-bauer
Unfortunately, things were a little more complicated than initially assumed. Using the GitLab Rake tasks, 2FA authentication can only be deactivated for users who have already activated it. This is more intended to enable access again if the second factor is lost. But it was not possible to deactivate the option to use 2FA authentication in this way.

However, I was able to “hide” the option with the help of a patch. This has so far only been implemented in the DataHUB on premise version. Here is a screenshot of the “Account” page after the patch.

[eik-dahms]

Maybe a non deletious solution would be better for non Datahub authentification? You can see an example in action here