Strengthening GitLab.com security: Mandatory multi-factor authentication

Strengthening GitLab.com security: Mandatory MFA Published on: January 9, 2026 3 min read Strengthening GitLab.com security: Mandatory multi-factor authentication Learn how GitLab is implementing mandatory MFA as part of Secure by Design commitment and what it means for users. Kim Waters security product To strengthen the security of all user accounts on GitLab.com, GitLab is implementing mandatory multi-factor authentication (MFA) for all users and API endpoints who sign in using a username and password. Why this is happening This move is a vital part of our Secure by Design commitment . MFA provides critical defense against credential stuffing and account takeover attacks, which remain persistent threats across the software development industry. Key information to know What is changing? GitLab is making MFA mandatory for sign-ins that authenticate with a username and password. This introduces a critical second layer of security beyond just a password. Does this apply to me? Yes, it applies if: You sign in to GitLab.com with a username and a password, or use a password to authenticate to the API. No, it does not apply if: You exclusively use social sign-on (such as Google) or single sign-on (SSO) for access. ( Please note: If you use SSO, but also have a password for direct login, you will still need MFA for any non-SSO, password-based login.) When is the rollout? The implementation will be a phased approach over the coming months, intended to both minimize unexpected interruptions and productivity loss for users and prevent account lockouts. Groups of users will be asked to enable MFA over time. Each group will be selected based on the actions they’ve taken or the code they’ve contributed to. You will be notified in the following ways: ✉️ Email notification - prior to the phase where you will be impacted 🔔 Regular in-product reminders - 14 days before ⏱️ After a specific time period (this will be shared via email) - blocked from accessing GitLab until you enable MFA What action do I need to take? If you sign in to GitLab.com with a username and a password: We highly recommend you proactively set up one of the available MFA methods today, such as passkeys, an authenticator app, a WebAuthn device, or email verification. This ensures the most secure and seamless transition: Go to your GitLab.com User Settings . Select the Account section. Activate two-factor authentication and configure your preferred method (e.g., authenticator app or a WebAuthn device). Securely save your recovery codes to guarantee you can regain access if needed. If you use a password to authenticate to the API: We highly recommend you proactively switch to a personal access token (PAT). Read our documentation to learn more. FAQ What happens if I don't enable MFA by the deadline? You'll be required to set up MFA before you can sign in. Does this affect CI/CD pipelines or automation? Yes, unless you're using PATs or deploy tokens instead of passwords. I use SSO but sometimes sign in directly, do I need MFA? Yes, MFA is required for any password-based authentication, including fallback scenarios. Which MFA recovery options are available? Review the troubleshooting documentation .* Specific timelines and further resources will be shared as rollout dates approach. Thank you for your attention to this important change. Are you trading speed for security? Get your security maturity score Quiz will take 5 minutes or less More to explore View all blog posts Security Manage vulnerability noise at scale with auto-dismiss policies Read the blog Security GitLab 18.10 brings AI-native triage and remediation Read the blog Security A complete guide to GitLab Container Scanning Read the blog We want to hear from you Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback Start building faster today See what your team can do with the intelligent orchestration platform for DevSecOps. Get your free trial Contact sales