The email verification on login provides an additional layer of security despite 2FA not being implemented. This security measure is being triggered once the account has three or more failed sign-in attempts in 24 hours or a user attempts to sign in from a new IP address. Reference here
Gitlab also supports another basic authentication which is the Resource Owner Password Credentials (ROPC) flow. It is where the user credentials(username and password) will be exchanged for an access token with full read and write scope on the endpoint /oauth/token. Just like the web authentication, there is also an implemented restriction on this endpoint to avoid any unauthorized authentication. For example, sending the token exchange request on the said endpoint from a new IP address will result to the following API error response:
https://hackerone.com/reports/2676025