GitLab developer here! Thank you, Sytse, for answering already, I'm happy to go into a little more depth.
> I highly recommend showing users the key for their storage - I've had to extract the keys from FreeOTP and Google Authenticator a number of times.
I'm curious, in what situation would you need to extract the key while you still have access to it in one of your apps? We have recovery codes for the situation where you've lost the key in your app, but that doesn't seem to be what you're describing. If you're moving from one app or phone to another, you can just turn off 2FA on GitLab and then turn it on again—you'll get a new key.
> How do you leverage 2FA with LDAP/AD accounts? Do you store/check the key in gitlab and then auth the users against LDAP/AD - or store the key in LDAP/AD?
The 2FA flow is the same for regular GitLab users and those backed by LDAP. After the initial username/password auth step, they are presented with the 2FA form. In both cases, the key is only in GitLab.
> in what situation would you need to extract the key while you still have access to it in one of your apps?
I use FreeOTP on Android to store and generated OTPs. Many years ago I had an HTC One (old version). I was listening to music one day and it just died - wouldn't turn on. Thankfully I extracted most of my OTP keys and was able to setup FreeOTP from scratch. If I didn't - I would be in a world of hurt for the ~20 services that may or may not provide recovery codes (I know you do - but just keep in mind phone dying or theft).
Like I mentioned in the previous post - to me a recovery key isn't to be used lightly, in my opinion it should only be used for "oh crap I need to login right now and I don't have my phone".
I'm not saying I don't trust you and recovery codes - I already got burned once and I don't want to be in that position again. My solution is to squirrel away the OTP keys. Besides - I can already get it by using a barcode scanner on the QR code you generate so I'm not sure what we are arguing about.
> I highly recommend showing users the key for their storage - I've had to extract the keys from FreeOTP and Google Authenticator a number of times.
I'm curious, in what situation would you need to extract the key while you still have access to it in one of your apps? We have recovery codes for the situation where you've lost the key in your app, but that doesn't seem to be what you're describing. If you're moving from one app or phone to another, you can just turn off 2FA on GitLab and then turn it on again—you'll get a new key.
> How do you leverage 2FA with LDAP/AD accounts? Do you store/check the key in gitlab and then auth the users against LDAP/AD - or store the key in LDAP/AD?
The 2FA flow is the same for regular GitLab users and those backed by LDAP. After the initial username/password auth step, they are presented with the 2FA form. In both cases, the key is only in GitLab.