doc/security/email_verification.md
{{< details >}}
{{< /details >}}
{{< history >}}
require_email_verification. Disabled by default.require_email_verification removed.{{< /history >}}
Account email verification provides an additional layer of GitLab account security. When certain conditions are met, an account is locked. If your account is locked, you must verify your email or reset your password to sign in to GitLab.
[!note] On GitLab Self-Managed, this feature is disabled by default. Use the Application settings API to enable the
require_email_verification_on_account_lockedattribute.
<i class="fa-youtube-play" aria-hidden="true"></i> For a demo, see Require email verification - demo.
On GitLab.com, if you don't receive a verification email, select Resend Code before you contact the support team.
An account is locked when either:
A locked account without 2FA is not unlocked automatically.
After a successful sign in, an email with a six-digit verification code is sent to your account's primary email address. If you cannot access your primary email address, you can instead send the verification code to any of your secondary email addresses.
The verification code expires after 60 minutes.
To unlock your account, sign in and enter the verification code. You can also reset your password.
An account is locked when there are ten or more failed sign-in attempts, or more than the amount defined in the configurable locked user policy.
Accounts with 2FA or OAuth are automatically unlocked after ten minutes, or more than the amount defined in the configurable locked user policy. To unlock an account manually, reset your password.