Leveling up your Cloud security with 2FA and IP Whitelisting

We live in an age where data breaches are very common. In the last three years major retailers to modern tech companies have experienced massive data breaches – yet CompTIA research shows that most companies are still not fully prepared against security threats and haven’t taken necessary steps to overhaul their security measures. No matter how much focus is put on data security, it's the end user that is ultimately the weakest link and can be vulnerable to password hacks.

To avoid this, it’s more important than ever that you aren’t just securing your account with a password, but also taking measures like two-step verification to keep your private content on Bitbucket, well… private. In addition to two-step verification, Bitbucket is taking security a step further for teams who store their source code in Bitbucket Cloud and desire additional security: team admins can require their teams to enable two-step verification and/or limit access to private code by IP address. Let’s take a deeper look at how admins can benefit from IP whitelisting and required 2-step verification.

Ensure secure access with required two-step verification

Two-step verification (also known as 2FA) ensures your data will continue to be protected even if someone else gets your password. This is great for those who have it enabled as an extra security mechanism, but how do you really know if your team is taking advantage of this extra security? Manually following up is always an option for a small team, but what happens when your team grows to 10, 20, or more than 100?

We’re launching required 2-step verification in Bitbucket for these account administrators who require their team to have two-step verification to access private code. When you enable this option for your team, users will need to have two-step verification enabled in order to interact (view, push, clone, etc.) with your account’s private content: repositories, team settings, issue trackers, wikis, and snippets. If a user doesn’t have two-step verification enabled at the time of access, they'll see instructions on how to enable two-step verification in the UI and continue.

cloud security features in bitbucket

IP whitelisting for your private code

With IP whitelisting enabled, users will only be able to interact (view, push, clone, etc.) with your account’s private content if they are accessing Bitbucket from an IP address you have selected and know is safe. If a user tries to access any of your team’s repositories, issue trackers, wikis, snippets or team settings from an un-whitelisted IP, they’ll receive an error. This helps prevent unwanted third parties from accessing your account even if they have acquired a team member’s email address and password. As the first of the leading Git repository management tools to provide advanced Cloud security like IP whitelisting, we’re taking steps to make teams feel safe storing their source code in the Cloud.

We’ve heard from several teams that using IP whitelisting with Bitbucket will allow them to move off on-prem version control systems and enjoy the savings and convenience of hosting their code in the cloud. When digging into the use cases and needs of these teams, we found some common themes for how this feature would be used:

  • Security controls on devices – admins often want to make sure the desired security controls are in place on a user’s device before the user can even get network access to private content
  • VPN Server – lock down your VPN server for remote employees to access private content via authentication from their device
  • Strict no work from home policy – certain industries simply don’t allow working from home; whitelisting an office IP would ensure this stays true

“For Limpid Logic customers, remote access and IP whitelisting are sometimes a legal requirement, especially for clients in highly regulated industries such as finance and healthcare. Our work often deals with sensitive intellectual property that requires limited geographic access to repos from a few specific IPs,” said Bachir El Khoury, Managing Director at Limpid Logic. “IP whitelisting is exactly what we need within our business and we’re thrilled to see this security feature in Bitbucket.”

IP whitelisting is a feature of Bitbucket’s Premium plan and can be found under the access controls section of your account settings.

Bitbucket’s Premium plan

Both of these features are available in Bitbucket's Premium plan, which also includes merge checks, smart mirroring, 3,500 build minutes for Bitbucket Pipelines and 10 GB/month of Git Large File Storage (LFS). 

This plan specifically aims to improve the experience for administrators of teams with lots of users and repos, complex business requirements (as a result of industry standards, etc.) or both, which we've found become more prevalent as a team grows.

All features in this plan are in a free trial until pricing changes take effect when the plan will be available for $6/user/month. For a complete breakdown of our pricing and what falls in each plan, check out our pricing comparison page .


Try required 2-step verification and IP whitelisting

If you're ready to enhance your security measures, sign up for a Bitbucket Cloud account. If you are already a Bitbucket customer, further documentation for IP Whitelisting and requiring two-step verification can be found here.


Interested in upgrading to Standard or Premium for more advanced admin settings, security permissions, and greater flexibility?