GitLab developer here! Thank you, Sytse, for answering already, I'm happy to go into a little more depth.

> I highly recommend showing users the key for their storage - I've had to extract the keys from FreeOTP and Google Authenticator a number of times.

I'm curious, in what situation would you need to extract the key while you still have access to it in one of your apps? We have recovery codes for the situation where you've lost the key in your app, but that doesn't seem to be what you're describing. If you're moving from one app or phone to another, you can just turn off 2FA on GitLab and then turn it on again—you'll get a new key.

> How do you leverage 2FA with LDAP/AD accounts? Do you store/check the key in gitlab and then auth the users against LDAP/AD - or store the key in LDAP/AD?

The 2FA flow is the same for regular GitLab users and those backed by LDAP. After the initial username/password auth step, they are presented with the 2FA form. In both cases, the key is only in GitLab.

> in what situation would you need to extract the key while you still have access to it in one of your apps?

I use FreeOTP on Android to store and generated OTPs. Many years ago I had an HTC One (old version). I was listening to music one day and it just died - wouldn't turn on. Thankfully I extracted most of my OTP keys and was able to setup FreeOTP from scratch. If I didn't - I would be in a world of hurt for the ~20 services that may or may not provide recovery codes (I know you do - but just keep in mind phone dying or theft).

Like I mentioned in the previous post - to me a recovery key isn't to be used lightly, in my opinion it should only be used for "oh crap I need to login right now and I don't have my phone".

I'm not saying I don't trust you and recovery codes - I already got burned once and I don't want to be in that position again. My solution is to squirrel away the OTP keys. Besides - I can already get it by using a barcode scanner on the QR code you generate so I'm not sure what we are arguing about.

GitLab CEO here, I'm probably out of my depth and misunderstanding but let me try. I'll see if other people on my team can look into the question too.

Instead of extracting keys don't you want to use backup codes (that we provide)?

2FA for LDAP accounts is an additional safety measure that you need to unlock the account. The key is stored in the same place as with non-LDAP account I think.

> Instead of extracting keys don't you want to use backup codes (that we provide)?

Perhaps my opinion is wrong - but if I replace my OTP generating device (such as my phone) I don't want to use recovery codes I just want to restore FreeOTP and be on my way. Recovery codes to me is "oh shit I need to get to my account right now because of some important reason X and I don't have my phone with me". To give you some background of why - I have about 20 OTP keys in FreeOTP right now - being able to have root access and restore FreeOTP from Titanium Backup is very important to me.

This was particularly annoying when a service does not provide recovery codes. Or even worse (Symantec VIP OTP) they generate a random key generated based on the device - so even if you reinstall it you can't get the same key back (according to reviews in the play store - updates have even triggered a regen of keys) - locking people out of their accounts because many services who use Symantec VIP access don't offer recovery codes.

This all goes back to the idea of exporting keys from apps like FreeOTP and Google auth. People have asked numerous times but no one wants to implement it in those applications (there is a 3rd party OTP app that claims to store the keys encrypted in dropbox...but last time I used it the automatic backup stopped working....).

To make a long story short - if you present the QR Code I can get the key by using it a barcode scanner - but just tell me what it is so I can throw it in my password manager in the event I need to get into my account without my phone or have to replace my phone.

We can talk offline if you are interested and I can explain how I do 2FA for SVN and Mercurial.

Thanks for the background. If I understand correctly you want functionality that is not common in other application. We don't want to be on the bleeding edge here, we're no crypto experts and prefer to keep things as simple as possible.

Hi nadams, I just replied to your original post, at the same time you posted this one. If you have any questions that aren't answered in that reply, feel free to ask!