gitlab-org--gitlab-foss/doc/user/account/two_factor_authentication.md

# Two-Factor Authentication

## Recovery options

If you lose your code generation device (such as your mobile phone) and you need
to disable two-factor authentication on your account, you have several options.

### Use a saved recovery code

When you enabled two-factor authentication for your account, a series of
recovery codes were generated. If you saved those codes somewhere safe, you
may use one to sign in.

First, enter your username/email and password on the GitLab sign in page. When
prompted for a two-factor code, enter one of the recovery codes you saved
previously.

> **Note:** Once a particular recovery code has been used, it cannot be used again.
  You may still use the other saved recovery codes at a later time.

### Generate new recovery codes using SSH

It's not uncommon for users to forget to save the recovery codes when enabling
two-factor authentication. If you have an SSH key added to your GitLab account,
you can generate a new set of recovery codes using SSH.

Run `ssh git@gitlab.example.com 2fa_recovery_codes`. You will be prompted to
confirm that you wish to generate new codes. If you choose to continue, any
previously saved codes will be invalidated.

```bash
$ ssh git@gitlab.example.com 2fa_recovery_codes
Are you sure you want to generate new two-factor recovery codes?
Any existing recovery codes you saved will be invalidated. (yes/no)
yes

Your two-factor authentication recovery codes are:

119135e5a3ebce8e
11f6v2a498810dcd
3924c7ab2089c902
e79a3398bfe4f224
34bd7b74adbc8861
f061691d5107df1a
169bf32a18e63e7f
b510e7422e81c947
20dbed24c5e74663
df9d3b9403b9c9f0

During sign in, use one of the codes above when prompted for
your two-factor code. Then, visit your Profile Settings and add
a new device so you do not lose access to your account again.
```

Next, go to the GitLab sign in page and enter your username/email and password.
When prompted for a two-factor code, enter one of the recovery codes obtained
from the command line output.

> **Note:** After signing in, you should immediately visit your **Profile Settings
  -> Account** to set up two-factor authentication with a new device.

### Ask a GitLab administrator to disable two-factor on your account

If the above two methods are not possible, you may ask a GitLab global
administrator to disable two-factor authentication for your account. Please
be aware that this will temporarily leave your account in a less secure state.
You should sign in and re-enable two-factor authentication as soon as possible
after the administrator disables it.
Add two factor recovery endpoint to internal API 2016-07-26 17:48:51 -04:00			`# Two-Factor Authentication`

			`## Recovery options`

			`If you lose your code generation device (such as your mobile phone) and you need`
			`to disable two-factor authentication on your account, you have several options.`

			`### Use a saved recovery code`

			`When you enabled two-factor authentication for your account, a series of`
			`recovery codes were generated. If you saved those codes somewhere safe, you`
			`may use one to sign in.`

			`First, enter your username/email and password on the GitLab sign in page. When`
			`prompted for a two-factor code, enter one of the recovery codes you saved`
			`previously.`

			`> Note: Once a particular recovery code has been used, it cannot be used again.`
			`You may still use the other saved recovery codes at a later time.`

			`### Generate new recovery codes using SSH`

			`It's not uncommon for users to forget to save the recovery codes when enabling`
			`two-factor authentication. If you have an SSH key added to your GitLab account,`
			`you can generate a new set of recovery codes using SSH.`

			Run `ssh git@gitlab.example.com 2fa_recovery_codes`. You will be prompted to
			`confirm that you wish to generate new codes. If you choose to continue, any`
			`previously saved codes will be invalidated.`

			```bash
			`$ ssh git@gitlab.example.com 2fa_recovery_codes`
			`Are you sure you want to generate new two-factor recovery codes?`
			`Any existing recovery codes you saved will be invalidated. (yes/no)`
			`yes`

			`Your two-factor authentication recovery codes are:`

			`119135e5a3ebce8e`
			`11f6v2a498810dcd`
			`3924c7ab2089c902`
			`e79a3398bfe4f224`
			`34bd7b74adbc8861`
			`f061691d5107df1a`
			`169bf32a18e63e7f`
			`b510e7422e81c947`
			`20dbed24c5e74663`
			`df9d3b9403b9c9f0`

			`During sign in, use one of the codes above when prompted for`
			`your two-factor code. Then, visit your Profile Settings and add`
			`a new device so you do not lose access to your account again.`
			```

			`Next, go to the GitLab sign in page and enter your username/email and password.`
			`When prompted for a two-factor code, enter one of the recovery codes obtained`
			`from the command line output.`

			`> Note: After signing in, you should immediately visit your **Profile Settings`
			`-> Account** to set up two-factor authentication with a new device.`

			`### Ask a GitLab administrator to disable two-factor on your account`

			`If the above two methods are not possible, you may ask a GitLab global`
			`administrator to disable two-factor authentication for your account. Please`
			`be aware that this will temporarily leave your account in a less secure state.`
			`You should sign in and re-enable two-factor authentication as soon as possible`
			`after the administrator disables it.`