Should I use in-app 2fa If I login with google (and have 2fa on google on)



  • All users in my google domain use 2fa on google accounts.

    We have on-premise software (gitlab for example) that allows us use google accounts to login.

    Also, gitlab has a feature of 2fa.

    Should we use it? Does it add something to security or not?



  • 2FA is designed to provide security against compromised credentials. Since you are using SSO, the credentials are that of the other IdP (Google, in your case). So 2FA on your Google account protects those credentials.

    However, you might decide that SSO is a potential risk and the IdP might get compromised or someone might be able to provide 2FA codes to the 3rd party credentials. In that case, you might consider enabling 2FA on the local service as well (i.e. Gitlab).

    Since you are likely storing your "crown jewels" in Gitlab, this is not a crazy thought, but that is up to your risk assessment.

    So, yes, it does add security. Whether or not that extra security makes sense for you, or if it will prove to be an annoyance with no benefit, is up to your assessment.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2