Enable two-factor authentication (2FA) with an authenticator, such as Google authenticator or 1Password TOTP for on every account that supports it. This is required for Google, Slack, IllumiDesk.com, and dev.IllumiDesk.org accounts.
Users without 2FA enabled that are stale for over 30 days will be blocked/suspended until resolved. This improves the security posture for both the user and GitLab. If any systems provide an option to use SMS text as a second factor, this is highly discouraged. Phone company security can be easily subverted by attackers allowing them to take over a phone account. (Ref: 6 Ways Attackers Are Still Bypassing SMS 2-Factor Authentication / 2 minute Youtube social engineering attack with a phone call and crying baby)