consider enforcing 2FA across gitlab
In #41470 (closed), we investigated the impact of an authentication bypass in GitLab (CVE-2023-7028). One of the key takeaways is that 2FA renders the attack mostly moot. This makes this group (tpo/tpa) immune to it, but not all users benefit from this.
We should consider enforcing 2FA more broadly here. One likely first target would be tpo/web, which has only a handful of users without 2FA (one of which was @gitolite-merge-bot, which was removed access in #41469 (closed)). But we could broaden this to all of tpo.
Edited by anarcat