Hi, Ben Cooksley wrote: > As part of securing Invent against recently detected suspicious activity
What kind of suspicious activity would that be? Yesterday, Invent even considered it "suspicious" enough to send a warning e-mail that my semi- static IP address (TV-cable broadband ISP) has changed after several months. Dynamic IP addresses are not exactly unusual. > I have also enabled Mandatory 2FA, which Gitlab will ask you to configure > next time you access it. IMHO, this is both an absolutely unacceptable barrier to entry and a constant annoyance each time one has to log in. > This can be done using either a Webauthn token (such as a Yubikey) or TOTP > (using the app of choice on your phone) What am I expected to use with my PinePhone? Does https://apps.kde.org/keysmith/ work? And how do you intend to prevent users from running the TOTP app on the same device as the web browser (both on the smartphone or even both on the desktop/notebook)? You just cannot. (As far as I know, even Yubikeys can be emulated in software.) Two-factor is a farce. Kevin Kofler
