Issue #5811 open

Support two-factor authentication (BB-7016)

bano6010
created an issue

Hello,

It would be awesome if you could give users the option to protect their Bitbucket account by using a two-factor authentication system.

It would be epic if you used the Time-based One-time Password (TOTP) algorithm specified in RFC 6238(https://tools.ietf.org/html/rfc6238) so it would work with Google Authenticator app for just about every mobile platform.

Thanks for providing a great service! Happy Holidays.

Comments (285)

  1. Sloan Looney

    +1

    Our board is asking me to report on the security of our source code and it's hard to convince them that putting it on the Internet protected by a username/password is sufficient. 2nd factors would make that conversation much easier. Using Google Authenticator is a great idea.

  2. arabold

    This feature will make most sense if I can enforce the use of 2-Factor Authentication for my team. Otherwise it's not very useful as people tend to be lazy and just "forget" to enable it themselves.

  3. Bradley Bergeron

    I love Bitbucket and have been using it for basically every repo I've made since I discovered it. I've also become a huge two-factor advocate over the past year. Please support this!

  4. Justen Stepka

    Official update:

    Atlassian is currently building an SSO system similar to what Google has for their business products to link all our offerings together, dubbed Atlassian ID. One of the longer term items on that roadmap is two factor authentication. Right now I cannot offer an ETA for two factor auth, however I can say that Atlassian ID will be a big leap forward and allow us to give teams a much better user experience when using multiple products. For those of you using Google Apps, that may be an option for you once we roll out Atlassian ID.

    Cheers, Justen -- Bitbucket product manager

  5. Andrew Shu

    Please stop spamming +1 in the comments.

    We no longer track "+1" on issues. Please use the vote link at the top right side of the page.

    Cheers, Marcus Bertrand Bitbucket Support

  6. ywliu

    Since a brute force attack on github led to many compromised accounts, I hope bitbucket now can start thinking about heightening this priority of this request.

    Thanks for your attention.

  7. Ben McCann

    GitHub shipped a feature this afternoon that allows owners of paid organizations to see which members do not have 2FA enabled. That information is now visible on the organization's members page. Time to cancel that paid Bitbucket account I just setup

  8. Dodzi Dzakuma

    You probably already know this but here is some information about the attack on one of your biggest competitors

    http://www.theguardian.com/technology/2013/nov/21/github-accounts-compromised-in-brute-force-attack

    http://www.theverge.com/2013/11/20/5126906/weak-github-passwords-lead-to-account-security-breach

    The sent out e-mails to users who had weak passwords and those that may have been compromised. Those using two-factor verification where safe. I have two-factor authentication enabled on my GitHub account.

    Seeing how the attacker(s) used multiple IP addresses over a period of several days to hack in, it is hard to track making most sites vulnerable.

    I think it's about time that you changed priority of this issue from "Minor" to "Do it immediately to protect our business, our assets and our investors."

  9. Adrien Saladin

    Until this feature is implemented, an option is not to use your password to log into your bitbucket web account but instead use any identity provider already using 2FA, like google, facebook, twitter, github, ...

  10. Adrien Saladin

    babbosilva Yes this feature is missing, and I voted for this. My suggestion was to mitigate the problem for the web part.

    On your trusted computer you can use ssh keys, that would prevent someone looking over your shoulder.

    On untrusted machines, well I don't really want to push code or download private projects, and I don't need authentication for getting public projects.

    So I see one issue left: when pushing code for public projects from unstrusted computers.

    There may however be other use cases.

  11. AndySomerville_HAE

    I'd say that there shouldn't be the concept of trusted and untrusted machines; only more trusted and less trusted. From that perspective 2FA is relevant in the other stories as well.

    And as I side note it's probably even possible to connect to the ssh agent to a 2FA system adding a layer there.

  12. Wojciech Piekutowski

    Wow this ticket has only "minor" priority? It sounds like priority of keeping our source code safe is also "minor" for the Bitbucket team. Guys, seriously, do you really need to get hacked before you implement this? Why not learn from competition mistakes and make it the most important feature?

  13. Martijn Heemels

    Wojciech Piekutowski To be fair 'being hacked' isn't really the issue with this ticket. Password authentication has been an accepted authentication method for a long time and isn't suddenly unsafe, even if it could be improved. It's the responsibility of the users, not Atlassian, to use strong and unique passwords to avoid abuse of their repositories.

    If you can't trust someone to properly secure their account you can't expect them to properly use two-factors, right? Don't give them write access to your central repos and adopt a clone->pull-request workflow or something. Sure I would like to see 2FA implemented but 'most important'?

    Atlassian's main security focus should be making sure there's no other way to get to our code, such as bugs. Things that us users have no influence on, and could allow bypassing authentication or authorization, such as the March 2012 Homakov exploit at GitHub.

  14. Jacob Gable

    Martijn Heemels Nobody argued that passwords weren't an accepted authentication method or inherently unsafe, you are making a straw man argument. This ticket is about providing an extra layer of protection in case a security breach occurs.

    You're reasons provided for focusing on other things seem short sighted and full of hubris considering the surface area of dependencies that a site like bitbucket has for attacks, but the end is important in all things. If you never get hacked, you're right; but if you do....

  15. Sundeep Malladi

    Martijn Heemels Adding two-factor authentication doesn't mean that Atlassian will not continue contributing resourcing to plugging potential security holes.

    And while passwords may be an accepted form of auth, it's always been less than ideal as a method to confirm a user's identity. We can do better and this is an opportunity to do just that. Note too, Atlassian is now a latecomer to the 2-factor auth party, with Google, GitHub, Dropbox and a host of other online services using this approach to safeguard their customers' data.

  16. Martijn Heemels

    Jacob Gable I've edited my comment to be a response to Wojciech Piekutowski which I meant to do in the first place. The tone of his comment and some others was unnecessarily sensationalistic which usually does not to help the ticket forward. Hyperbole only clouds the issues.

    Please do not assume that my comment meant I think 2FA is not important. I would like a higher priority too. However, in my opinion it is definitely not 'the most important'. Your opinion may differ of course.

    If we want this ticket to get more attention, a useful method would be to get more upvotes. Will everyone who commented with '+1' please make sure they've upvoted the ticket (top right), and convince others to do the same?

  17. AndySomerville_HAE

    Edit: I wrote my response before seeing your latest. I'll leave it for posterity anyway.

    To be fair 'being hacked' isn't really the issue with this ticket.

    Martijn Heemels, respectfully, I disagree. "Being hacked" doesn't need to happen via some high tech means. Password guessing, shoulder surfing, and keylogging all count.

    Password authentication has been an accepted authentication method for a long time and isn't suddenly unsafe,

    Again, I completely, respectfully, disagree. When passwords were used on small low profile systems, the were less important because of the cost involved in identifying and customizing attack to a target. Now that large amounts of extremely important valuable information are "in the cloud" on public, high profile, highly aggregated targets, accounts on those services are at higher risk.

    Passwords have always been a terrible authentication method, there just weren't many other viable options.

    It's the responsibility of the users, not Atlassian, to use strong and unique passwords to avoid abuse of their repositories.

    This is completely wrong. Atlassian is the only one who can improve the security of Atlassian products. They are responsible to their customers & users to implement best practices. No one else can do it for them.

    2 factor is not a fringe idea. It's main stream and done by most of the big players.

    Atlassian's main security focus should be making sure there's no other way to get to our code, such as bugs.

    This is a low hanging fruit which cuts down on one of the weakest parts of the attack surface. There is every reason to make this high priority.

    Fortunately it's at least on the radar as they mentioned above that it will be part of Atlassian ID that they're working on.

  18. Wojciech Piekutowski

    Martijn Heemels the only answer I'd like to hear, as a customer looking for a GitHub alternative, is: "2-factor auth is going to be introduced on insert_exact_date_here". I'm pretty sure all the "unnecessarily sensationalistic" comments about "being hacked" will stop once a precise date (or at least an estimate) is announced here.

  19. Wisteso

    The previous company I worked for, and my current company will likely be moving away from Bitbucket due to lack of support for 2FA. The simple matter is that no one is perfect and a service like BB needs to stay current in the methods used to protect against security breaches. People get hacked by exploits that haven't been patched yet, laptops get stolen/lost, etc.

    The lack of a higher priority, or any recent information about a timeline for this feature indicates to us that Atlassian isn't too concerned with protecting the extremely delicate value of the I.P. that is stored on their servers. It's very unfortunate because I generally like Atlassian's products, but preference matters very little when your I.P. is at risk.

  20. James Mills

    Ditto to both Wisteso and Aaron I may have to consider seriously moving away from Bitbucket as well. It's just a shame Github doesn't support Mercurial repositories :/

  21. Scott Roberts

    Oh please tell me this broader effort will also add SAML support along with MFA/OTP. You guys are behind in auth and identity management. I hope you guys get this right. As mentioned by Ben McCann if you implemented SAML, I could bring my own MFA/OTP.

  22. catskul

    Weekly reminder: +1 isn't tracked anymore and produces noise to everyone subscribed to the ticket. Please use the "vote" link/button in the box at the top right.

  23. Belai Beshah

    We are also waiting for this and would like an update of when it will be available. I agree with Zack Moore in that it will still not be useful until the team membership can enforce it since what stops a user from turning 2FA off.

  24. Anonymous

    Absolutely. Not having MFA becomes more and more of an issue these days. I just can't trust the password-only system, no matter how hard I protect (and I do) all my passwords.

  25. Bruno Durán Rey

    This feature is currently in the works and will be released in about 45-60 days as part of >our on-going effort to revamp Bitbucket / Atlassian's authentication systems for all >OnDemand products. Cheers, Justen -- Bitbucket product manager 2014-01-29

    Hi there all people, ~62-63 days since this announcement.

    Regards, Bruno

  26. Keith Morrow

    eq_pe a feature like this, especially against an established codebase, certainly takes longer than a few days, certainly when you want it to be done right. And this is a security feature; you want those done right.

  27. Rahul Trikha

    This is exciting news guys, thank you so much for doing this. I just love BitBucket and wish you guys keep making it more awesome for all of us to use.

  28. andy_somerville

    Weekly reminder: +1 isn't tracked anymore and produces noise to everyone subscribed to the ticket. Please use the "vote" link/button in the box at the top right.

  29. Calrion

    I've just arrived from GitHub, and frankly I'm a little surprised 2FA hasn't been implemented here yet—I thought it was a given.

    I have to admit, the lack of 2FA has given me pause about whether I really want to migrate my private repositories here or not.

    I've voted for this issue. It's concerning to me that this issue is considered 'minor' and has been open for more than a year. I look forward to seeing progress.

  30. Dodzi Dzakuma

    This is a serious question to the moderators of this thread. How many votes are needed to consider this a "major" or even "critical" priority enhancement. I'm sure the followers of this thread would be able to act accordingly to get the needed number of votes if a CONCRETE number was established.

    If possible please inform us of the number of votes needed to make it "major" and the number of votes needed to make it "critical".

  31. Kevin Doolan

    Dear Justen Stepka,

    As a paying Atlassian / BitBucket customer who is holding off transitioning over an entire company to BitBucket pending 2FA role-out, I would very much appreciate an update on this.

    "45-60 days" has come and gone and no sign of the feature or an update on progress. We held off going elsewhere based on this announced timeline. We can't wait forever so we're going to have to move on if this isn't coming real soon.

    I look forward to hearing from you. Failing that I'll assume 2FA is not happening.

  32. Sam Xiao

    This request was originally made on 2012 and it took them 2 yrs and still not added 2FA?

    I'll be leaving BitBucket if this is not enabled!

  33. katzmopolitan

    Any updates on this? Looks like it's been in the queue for a long time and seeing all those news articles about security breaches is not reassuring. Looks like this issue is marked as priority "Minor". Maybe it's time to reconsider the priority?

  34. Jeronimo Backes

    +1 Please implement this. It would be great if google authenticator becomes supported (it does not need to be the ONLY additional authentication mechanism, not everyone likes it)

  35. Sasha Kotlyar

    2FA using TOTP or HOTP would be better than proprietary systems, because they're open standards and there are existing apps on every platform that support these mechanisms.

  36. Ted Jardine

    Sasha,

    Hah! At this point (almost two years since the OP), anything would be nice.

    Having said that, I hook mine up with Google apps which does have it, so I'm getting it on bitbucket...sort of.

  37. Sasha Kotlyar

    Ted,

    This issue has one of the highest vote counts, so I'd expect that at the very least it hasn't been forgotten.

    I also use the Google OAuth login for BitBucket, but as long as we still have the "standard" password login, that remains the weakest link, and that is what everyone here wants addressed.

  38. Gary Kramlich

    Forcing 2FA for web login would be awesome, but I'd like to see it go further and require it for pushes. Either at the repository level, the user level, or the ssh key level.

  39. Carl Sargunar

    I've got to say, I've been following this for so long and have been using Bitbucket for a while. I've not created any new repositories on Bitbucket as a result and have been using Github. I'll be using Github for all new work I create, and slowly my allegiance to bitbucket will wither and die ....

  40. mopsusm

    2 years... 574 votes, 172 comments, wow long thread. Here's another +1

    I looked around a bit and it looks like you can create a Bitbucket account using just a Google account which would give 2fa for all access as best as i can tell. Also once you have a Bitbucket account you can set up to authenticate using a Google or github account again giving you 2fa via the third party. Is there and way to fully remove the ability to log in with bitbucket username and password in favor of third party auth once the account has been created?

  41. mopsusm

    Maxim, my apologies, I didn't mean to come off like a troll. Butbucket is a great product, just needs 2fa for Google authenticator or duo integration or something.

  42. cheapRoc

    Do really want. Security and privacy come first. Thanks.

    This should be a mandatory "all hands on deck" kind of feature... j/k bet you cringed? ;)

  43. Henrik Pedersen

    What the fuck? How can this still NOT be implemented? We are living in 2014!! I have lots of respect for Atlasssian but this is like a car without any kind of security. It might work, and even run great, but hell yeah it's gonna get stolen and you might die if you get into a crash..

    So make it available in paid plans only. We don't care. We will throw our money in your face. But it's kinda of a big deal to us and we might have ti migrate to Github...

  44. Samurai Ken

    Well.. it looks like I will be migrating to GitHub after all. I liek Atlassian, and I like the tool - but honestly this approach of just ignoring critical functionality and being openly dismissive of our concerns is borderline insulting.

  45. Belai Beshah

    Sad but that is the same conclusion we have come too after waiting for 10 months for this bug to get fixed so that we can have better integration with our OnDemand JIRA/Confluence. We have now started the process of moving to github instead. We also wanted the close integration with Bamboo with remote slaves too and another feature ignored by Atlassian PM while they develop stupid GUIs that color the developers initial ☺ so looking for something else there too. It just looks like they don’t care about providing an integrated developer’s platform(ticket/code/wiki/build/testcase).

  46. Chris Graham

    I heard that HBO's "Last Week with with John Oliver" is highlighting this as a “How Is This Still a Thing!” segment.

    So lame to not have this feature. I guess it will take a successful attack on their system to have it implemented.

  47. soupangel

    Appalled that this isn't done after 2 years, especially considering the total lack of updates from Atlassian on progress. Have already stopped recommending BB to clients, and will be moving all my repos to Github (although it pains me!) next time I get a free few hours. Plus, the attitude Atlassian have towards this issue reflects poorly on the whole of their organisation!

  48. Andrew Wied

    total lack of updates from Atlassian on progress

    This is the most frustrating part for me. The people who use Atlassian's tools are developers. We understand that priorities change or that there may be unexpected impediments to progress, but we don't get to just ignore our customers when they ask for updates. I was a huge promoter of the Atlassian suite of tools to my clients, including Bitbucket, and I really want to recommend them again... But I've been following this issue since 2013 and have seen Atlassian respond once, promising the feature shortly and then complete silence afterward.

    I guess after all this time waiting in silence I just feel disrespected by having nobody comment periodically on the progress (or even lack of progress) on this issue. This isn't a minor item, and it is in everyone's best interest, both Atlassian's and us users. It would take a person a few minutes of time every few weeks. Atlassian, come on. Your customers are at least worth that.

  49. Tom Gillett

    I asked an Atlassian representative about this at a conference recently. They were aware of the issue, and mentioned that progress had been made but shelved pending the implementation of a universal logon for Atlassian services.

    Whether that is the case or not I don't know, but it did give me some hope that 2FA may still be in the pipeline.

    For all we know, the Bitbucket devs may be as frustrated as we are!

  50. Chris Graham

    Maybe less time at conferences and more time on this feature might help. We have heard the universal login a while ago, and it is still not there either.

  51. George Mauer

    The silence is exactly the issue here. This, (along with a similar thing happening with hipchat multiple-account-login) is actually the biggest mark in the "cons" column for moving our whole company to Jira

  52. suchabohn

    This one issue is weighing my recommendation to use bitbucket down among my peers. It's easy to implement few hours (probably few days), good thing is you don't need to implement anything for the client tools. People are comfortable using authenticator apps from Google, Microsoft or Authy.

    And the good news is I implemented this for my website (written in node.js) on my way to work by bus (in sweet 15 mins). And now I have 2FA (TOTP) for my own websites admin area.

    Common folks at Atlassian, you can do better.

    Give us a reason to smile.

  53. Matthew Jewell

    I don't make assumptions about how easy 2FA is to implement within a system of the scale of Atlassian. That said (as a long time follower), the most frustrating thing about the response or lack thereof to this issue is the "minor" priority it has been given. Enough has been said about the importance of 2FA for each of us, but what really confuses me is how this issue remains of minor status when I would think it enough that a) your largest competitor has it and b) the continued activity of this thread is evidence of the support for it from the community.

  54. soupangel

    Yeah the last time Atlassian posted here about "Atlassian ID" was October 2013 - still over a year ago. I understand that a universal login is a big nice-to-have, but sacrificing implementing a more basic 2FA system for this in the meantime seems (in hindsight at least) a bad move.

    Perhaps we could have an update on the progress of Atlassian ID, along with a promise that it will include 2FA in its first release?

  55. Maxim Rybalov

    Tom Gillett Yes, they've been talking about Atlassian-wide SSO for probably over a year now.

    Everybody else, please don't just write "+1". That's useless to Atlassian for tracking and annoys everybody that subscribed to this issue.

    Instead, make you click on Vote in the top right corner of this page.

    Additionally, public shaming on Twitter is in order. Head to https://twofactorauth.org/ and click on the blue twitter button next to Bitbucket entry.

  56. Jens Schumacher staff

    Official update

    Thanks for the feedback and sorry about the lack of response. The issue with providing updates on our progress is that estimates are just that, estimates. We prefer not to set false expectations, which we've done enough of in the past unfortunately.

    What we can do is provide a bit more detail on our current plan: We are continuing our work on an Atlassian wide identity service. At our scale, this is not a trivial problem to solve across the number of products and services we have.

    2FA is unlikely to be part of the initial SSO roll-out since it would delay the release even further. But it is on the roadmap after the initial release.

    Why are you waiting for the identity service instead of just implementing it in Bitbucket? We've considered this option, but it would likely result in a different implementation for Bitbucket which we then would have to migrate to the solution provided by the Atlassian-wide identity service.

    A year ago we truly believed that the identity service was only 3-6 months out and we've made the decision to wait instead of duplicating the effort. Unfortunately things changed and if we would have known at the time how much longer it would take us to deliver the service, we probably would have gone ahead and implemented it in Bitbucket first.

    I hope this provides a bit more insight into our plans for 2FA.

  57. Willie Zutz

    Well that sure is a pretty disappointing update.

    Sounds like we're still many months away from 2FA. Guess it's time to start investigating moving to another service. Not that you care about losing my free account.

  58. scottheckel

    They should care about losing your free account. A free account turns into paid accounts and advocates who bring Bitbucket to their organizations. I for one would never pay for Bitbucket without 2FA.

  59. Adam K Dean

    We are identifying paid accounts, and this is a deal breaker, so yes, there is lost business. I like that the pricing here is team member constrained and not repository constrained like GH, and that it integrates into JIRA naturally, but this is a deal breaker, no two ways about it.

  60. Henrik Pedersen

    It's really a sad update. But.. Well.. I really like your service. If you could just update us more often...

    I will be waiting for it to roll out. It's a very big deal. I myself have a 80 character password or so, but I can't guarantee that my teammates will have the same, and neither will help us when our keys get stolen by malware..

    We considered Github, but it's too late for us now lol.. We've fallen in love with the Atlassian way of life.

  61. Samurai Ken

    This had been a real problem for me until recently. But the landscape is changing a LOT.

    I am not a fan of the GitHub service and so Bitbucket was a core tool for me. However - Microsoft has started hosting free private Git repositories as part of their Visual Studio online initiative. You do not need to use VS for these, by the way - it is regular git and I use it for node.js projects as well. They have agile planning, bug tracking and so on with it. it is actually pretty good.

    Obviously, two factor auth is supported.

  62. Anonymous

    Happy New 2015, Atlassian. Still no MFA. Shame on you and I don't care what kind of excuse or broken promise you have this time. Just shame on you.

  63. Marco De Bortoli

    Guys take a read to the board, they already gave an update:

    Official update ## by Jens Schumacher

    Thanks for the feedback and sorry about the lack of response. The issue with providing updates on our progress is that estimates are just that, estimates. We prefer not to set false expectations, which we've done enough of in the past unfortunately.

    What we can do is provide a bit more detail on our current plan: We are continuing our work on an Atlassian wide identity service. At our scale, this is not a trivial problem to solve across the number of products and services we have.

    2FA is unlikely to be part of the initial SSO roll-out since it would delay the release even further. But it is on the roadmap after the initial release.

    Why are you waiting for the identity service instead of just implementing it in Bitbucket? We've considered this option, but it would likely result in a different implementation for Bitbucket which we then would have to migrate to the solution provided by the Atlassian-wide identity service.

    A year ago we truly believed that the identity service was only 3-6 months out and we've made the decision to wait instead of duplicating the effort. Unfortunately things changed and if we would have known at the time how much longer it would take us to deliver the service, we probably would have gone ahead and implemented it in Bitbucket first.

    I hope this provides a bit more insight into our plans for 2FA.

  64. jw

    To everyone replying "+1": note that there are 377 people watching this issue, meaning that every +1 is sent to the inbox of 377 people. A +1 does not add anything to the conversation, it only makes official updates harder to find.

    Instead of replying "+1", vote for this issue at the top of this page.

  65. Jens Schumacher staff

    Please note that the priority of issues is set by the reporter and does not necessarily reflect Atlassian's internal priority.

    However, since there have been a number of comments regarding the priority of this issue, and to avoid further confusion, I've adjusted the priority to better reflect our internal priority.

  66. gpoul

    FIDO U2F would be awesome and actually still state of the art right now, but considering how old this feature request is I'm not going to hold my breath.

  67. Robert Simmons

    Please add support for both TOTP and FIDO U2F. This would create an ideal situation. Users with Yubikey can authenticate and users that have not purchased Yubikey can still use free apps like Google Authenticator and Duo.

  68. Henrik Pedersen

    I took a look at all the other issues on here. For a company that's selling developer tools they got the slowest possible release cycle on earth. There has literally been multiple versions of Windows between single features by Atlassian.

  69. Ryley Kimmel

    I have moved a private project from here to Github because Github actually offers 2 factor auth; this is a really great service but I simply will cease to use it if I cannot ensure the safety of my account.

  70. Digital Technology

    This is actually stopping my company from migrating to BitBucket.

    I would like Atlassian to give an indication if this is on the roadmap, and if it is, what the proposed timeline is

  71. Anonymous

    No, no, forget about Google Authenticator. Authy is so much better: it has Chrome extension, supports multiple devices, backup and restore of accounts, and a PIN lock. Plus account icons to make them clear and visible. Google Authenticator doesn't even come close to it and deserves to be abandoned.

    Anyway, too bad we can't use any of these apps with Bitbucket.

  72. appslv

    Please start a new thread for your opinions. This thread is for the request of TFA implementation, and others supprting it. TFA = Two Factor Authentication! If you have chrome extension, then when you loose your laptop they have access to everything. The point of TFA is to use a different device to authenticate the main device. There is no point to have TFA, if your just using a single device.

  73. Maxim Rybalov

    @evgenyg , almost everything you listed "positive" about Authy goes against the idea of proper 2-factor authentication...Having said that, this isn't a proper place to discuss merits of various 2fa solutions, so let's stop that discussion.

  74. Tyler Mapp

    The issue still stands that they have no concern for the users. Despite the uptick in chatter on this their presence is few and far between. 

    — Sent from mobile device.

  75. Robert Simmons

    @evgenyg As the previous post mentioned, Google Authenticator, Authy, Duo sec, and many others are all implementations of a client for RFC 6238 TOTP second factor auth. The server side is the same for all of them. You, as the user, would be free to choose whichever client software you like.

  76. Michael Johnson

    I know that there is a drive to get a "perfect" solution in place, but it shouldn't block implementation of a good solution in the meantime.

    It would be perfectly fine to set up a minimal method of 2FA using TOTP and requiring keys to access repositories directly as a starting point. If someone is knowledgeable enough to configure 2FA, they are likely already using SSH keys for git and mercurial access or are capable of getting that set up.

    Simply allow users to enable extra security for web logins and require OAuth for API access and SSH keys for direct repository access if that's enabled. You already have the mechanisms in place for the API and repositories, so with a little warning about what will need to be changed for users, it would be possible to put something in place sooner rather than never.

    It's been just over two years now since this issue was opened, so please see what's practical to do right now as you're behind the curve on security measures for your users and falling further behind every day.

  77. Brian Westrich

    Great practical ideas. Leveraging these, here's a suggestion of a (hopefully very simple) enhancement to bitbucket that might resolve these security deficiencies.

    I currently use ssh keypairs to access my bitbucket git repos (good stuff, in some ways stronger than a typical TFA setup). I can also log into bitbucket using my google account, which is already protected by TFA.

    If there was a checkbox I could click in my bitbucket profile settings that disabled all logins except those via my google account or ssh keypairs, I think I'd have all I need.

    Am I overlooking something else that would be needed to enjoy TFA or stronger authentication while using bitbucket?

    Brian Westrich 612-508-1827 bw@mcwest.com

  78. Jared Devers

    The Bitbucket team has wasted a significant amount of time waiting on the build of Atlassian ID when there are plenty of other Open ID / 2FA solutions out there that could have given us what we needed sooner and bolted on Atlassian ID later once it was actually ready.

  79. Henrik Pedersen

    Since this is not getting done anyway, we might as well have some fun in this thread. And I will start: Guess who should definitely get an award for worst email signature ever?

  80. Zachary DuBois

    Lol. He should edit his comment. It is very spammy even though this thread is sent to 430+ people for each reply. I am really surprised they haven't updated this thread yet.

  81. Thomas Pasch

    Guten Tag,

    meine Zeit bei Novabit geht/ist zu Ende. Dieses Postfach wird nicht mehr regelmäßig gelesen und die Mails nicht weitergeleitet. Benutzen Sie für einen Kontakt die auf der Webseite www.nuclos.de angegebenen Möglichkeiten.

    Mit besten Grüßen

    Thomas Pasch

  82. eq_pe

    Dear BitBucket - you guys are incompetent, and your parent company releases shitty products like Confluence and Jira. Carry on.

  83. Shawn Kelly

    I am currently out of the office and will be returning Monday, April 6th.

    Thanks

    ################################################################ NOTICE: The contents of this e-mail and any attachments to it may contain privileged and confidential information from the Sender’s Company or its affiliates. This information is only for the viewing or use of the intended recipient. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of, or the taking of any action in reliance upon, the information contained in this e-mail, or any of the attachments to this e-mail, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by replying to this message and delete it from your system.
  84. Lee Zumstein

    Would love to see this. Recently started researching options for migrating our locally hosted subversion repository to an online solution and Bit Bucket came up as a possibly great solution. However, two-factor authentication is a must for us for security reasons. Will have to look for other options until this feature is supported.

  85. Digital Orchard

    Jen... are you serious? BitBucket allows 1-character passwords? That is inexcusable! The developer(s) responsible for that should be .... well, I'll stop there.

    Come on Atlassian... quit being silent on this issue. Your reputation is at stake. What is your plan to address this growing concern?

  86. Log in to comment