Support two-factor authentication (BB-7016)

Bruce Olson avatarBruce Olson created an issue

Hello,

It would be awesome if you could give users the option to protect their Bitbucket account by using a two-factor authentication system.

It would be epic if you used the Time-based One-time Password (TOTP) algorithm specified in RFC 6238(https://tools.ietf.org/html/rfc6238) so it would work with Google Authenticator app for just about every mobile platform.

Thanks for providing a great service! Happy Holidays.

Comments (132)

  1. Sloan Looney

    +1

    Our board is asking me to report on the security of our source code and it's hard to convince them that putting it on the Internet protected by a username/password is sufficient. 2nd factors would make that conversation much easier. Using Google Authenticator is a great idea.

  2. arabold

    This feature will make most sense if I can enforce the use of 2-Factor Authentication for my team. Otherwise it's not very useful as people tend to be lazy and just "forget" to enable it themselves.

  3. Bradley Bergeron

    I love Bitbucket and have been using it for basically every repo I've made since I discovered it. I've also become a huge two-factor advocate over the past year. Please support this!

  4. Justen Stepka

    Official update:

    Atlassian is currently building an SSO system similar to what Google has for their business products to link all our offerings together, dubbed Atlassian ID. One of the longer term items on that roadmap is two factor authentication. Right now I cannot offer an ETA for two factor auth, however I can say that Atlassian ID will be a big leap forward and allow us to give teams a much better user experience when using multiple products. For those of you using Google Apps, that may be an option for you once we roll out Atlassian ID.

    Cheers, Justen -- Bitbucket product manager

  5. Andrew Shu

    Please stop spamming +1 in the comments.

    We no longer track "+1" on issues. Please use the vote link at the top right side of the page.

    Cheers, Marcus Bertrand Bitbucket Support

  6. ywliu

    Since a brute force attack on github led to many compromised accounts, I hope bitbucket now can start thinking about heightening this priority of this request.

    Thanks for your attention.

  7. Ben McCann

    GitHub shipped a feature this afternoon that allows owners of paid organizations to see which members do not have 2FA enabled. That information is now visible on the organization's members page. Time to cancel that paid Bitbucket account I just setup

  8. Dodzi Dzakuma

    You probably already know this but here is some information about the attack on one of your biggest competitors

    http://www.theguardian.com/technology/2013/nov/21/github-accounts-compromised-in-brute-force-attack

    http://www.theverge.com/2013/11/20/5126906/weak-github-passwords-lead-to-account-security-breach

    The sent out e-mails to users who had weak passwords and those that may have been compromised. Those using two-factor verification where safe. I have two-factor authentication enabled on my GitHub account.

    Seeing how the attacker(s) used multiple IP addresses over a period of several days to hack in, it is hard to track making most sites vulnerable.

    I think it's about time that you changed priority of this issue from "Minor" to "Do it immediately to protect our business, our assets and our investors."

  9. Adrien Saladin

    Until this feature is implemented, an option is not to use your password to log into your bitbucket web account but instead use any identity provider already using 2FA, like google, facebook, twitter, github, ...

  10. Adrien Saladin

    babbosilva Yes this feature is missing, and I voted for this. My suggestion was to mitigate the problem for the web part.

    On your trusted computer you can use ssh keys, that would prevent someone looking over your shoulder.

    On untrusted machines, well I don't really want to push code or download private projects, and I don't need authentication for getting public projects.

    So I see one issue left: when pushing code for public projects from unstrusted computers.

    There may however be other use cases.

  11. AndySomerville_HAE

    I'd say that there shouldn't be the concept of trusted and untrusted machines; only more trusted and less trusted. From that perspective 2FA is relevant in the other stories as well.

    And as I side note it's probably even possible to connect to the ssh agent to a 2FA system adding a layer there.

  12. Wojciech Piekutowski

    Wow this ticket has only "minor" priority? It sounds like priority of keeping our source code safe is also "minor" for the Bitbucket team. Guys, seriously, do you really need to get hacked before you implement this? Why not learn from competition mistakes and make it the most important feature?

  13. Martijn Heemels

    Wojciech Piekutowski To be fair 'being hacked' isn't really the issue with this ticket. Password authentication has been an accepted authentication method for a long time and isn't suddenly unsafe, even if it could be improved. It's the responsibility of the users, not Atlassian, to use strong and unique passwords to avoid abuse of their repositories.

    If you can't trust someone to properly secure their account you can't expect them to properly use two-factors, right? Don't give them write access to your central repos and adopt a clone->pull-request workflow or something. Sure I would like to see 2FA implemented but 'most important'?

    Atlassian's main security focus should be making sure there's no other way to get to our code, such as bugs. Things that us users have no influence on, and could allow bypassing authentication or authorization, such as the March 2012 Homakov exploit at GitHub.

  14. Jacob Gable

    Martijn Heemels Nobody argued that passwords weren't an accepted authentication method or inherently unsafe, you are making a straw man argument. This ticket is about providing an extra layer of protection in case a security breach occurs.

    You're reasons provided for focusing on other things seem short sighted and full of hubris considering the surface area of dependencies that a site like bitbucket has for attacks, but the end is important in all things. If you never get hacked, you're right; but if you do....

  15. Sundeep Malladi

    Martijn Heemels Adding two-factor authentication doesn't mean that Atlassian will not continue contributing resourcing to plugging potential security holes.

    And while passwords may be an accepted form of auth, it's always been less than ideal as a method to confirm a user's identity. We can do better and this is an opportunity to do just that. Note too, Atlassian is now a latecomer to the 2-factor auth party, with Google, GitHub, Dropbox and a host of other online services using this approach to safeguard their customers' data.

  16. Martijn Heemels

    Jacob Gable I've edited my comment to be a response to Wojciech Piekutowski which I meant to do in the first place. The tone of his comment and some others was unnecessarily sensationalistic which usually does not to help the ticket forward. Hyperbole only clouds the issues.

    Please do not assume that my comment meant I think 2FA is not important. I would like a higher priority too. However, in my opinion it is definitely not 'the most important'. Your opinion may differ of course.

    If we want this ticket to get more attention, a useful method would be to get more upvotes. Will everyone who commented with '+1' please make sure they've upvoted the ticket (top right), and convince others to do the same?

  17. AndySomerville_HAE

    Edit: I wrote my response before seeing your latest. I'll leave it for posterity anyway.

    To be fair 'being hacked' isn't really the issue with this ticket.

    Martijn Heemels, respectfully, I disagree. "Being hacked" doesn't need to happen via some high tech means. Password guessing, shoulder surfing, and keylogging all count.

    Password authentication has been an accepted authentication method for a long time and isn't suddenly unsafe,

    Again, I completely, respectfully, disagree. When passwords were used on small low profile systems, the were less important because of the cost involved in identifying and customizing attack to a target. Now that large amounts of extremely important valuable information are "in the cloud" on public, high profile, highly aggregated targets, accounts on those services are at higher risk.

    Passwords have always been a terrible authentication method, there just weren't many other viable options.

    It's the responsibility of the users, not Atlassian, to use strong and unique passwords to avoid abuse of their repositories.

    This is completely wrong. Atlassian is the only one who can improve the security of Atlassian products. They are responsible to their customers & users to implement best practices. No one else can do it for them.

    2 factor is not a fringe idea. It's main stream and done by most of the big players.

    Atlassian's main security focus should be making sure there's no other way to get to our code, such as bugs.

    This is a low hanging fruit which cuts down on one of the weakest parts of the attack surface. There is every reason to make this high priority.

    Fortunately it's at least on the radar as they mentioned above that it will be part of Atlassian ID that they're working on.

  18. Wojciech Piekutowski

    Martijn Heemels the only answer I'd like to hear, as a customer looking for a GitHub alternative, is: "2-factor auth is going to be introduced on insert_exact_date_here". I'm pretty sure all the "unnecessarily sensationalistic" comments about "being hacked" will stop once a precise date (or at least an estimate) is announced here.

  19. Wisteso

    The previous company I worked for, and my current company will likely be moving away from Bitbucket due to lack of support for 2FA. The simple matter is that no one is perfect and a service like BB needs to stay current in the methods used to protect against security breaches. People get hacked by exploits that haven't been patched yet, laptops get stolen/lost, etc.

    The lack of a higher priority, or any recent information about a timeline for this feature indicates to us that Atlassian isn't too concerned with protecting the extremely delicate value of the I.P. that is stored on their servers. It's very unfortunate because I generally like Atlassian's products, but preference matters very little when your I.P. is at risk.

  20. James Mills

    Ditto to both Wisteso and Aaron I may have to consider seriously moving away from Bitbucket as well. It's just a shame Github doesn't support Mercurial repositories :/

  21. Scott Roberts

    Oh please tell me this broader effort will also add SAML support along with MFA/OTP. You guys are behind in auth and identity management. I hope you guys get this right. As mentioned by Ben McCann if you implemented SAML, I could bring my own MFA/OTP.

  22. catskul

    Weekly reminder: +1 isn't tracked anymore and produces noise to everyone subscribed to the ticket. Please use the "vote" link/button in the box at the top right.

  23. Belai Beshah

    We are also waiting for this and would like an update of when it will be available. I agree with Zack Moore in that it will still not be useful until the team membership can enforce it since what stops a user from turning 2FA off.

  24. Evgeny Goldin

    Absolutely. Not having MFA becomes more and more of an issue these days. I just can't trust the password-only system, no matter how hard I protect (and I do) all my passwords.

  25. Bruno Durán Rey

    This feature is currently in the works and will be released in about 45-60 days as part of >our on-going effort to revamp Bitbucket / Atlassian's authentication systems for all >OnDemand products. Cheers, Justen -- Bitbucket product manager 2014-01-29

    Hi there all people, ~62-63 days since this announcement.

    Regards, Bruno

  26. Keith Morrow

    eq_pe a feature like this, especially against an established codebase, certainly takes longer than a few days, certainly when you want it to be done right. And this is a security feature; you want those done right.

  27. Rahul Trikha

    This is exciting news guys, thank you so much for doing this. I just love BitBucket and wish you guys keep making it more awesome for all of us to use.

  28. andy_somerville

    Weekly reminder: +1 isn't tracked anymore and produces noise to everyone subscribed to the ticket. Please use the "vote" link/button in the box at the top right.

  29. Calrion

    I've just arrived from GitHub, and frankly I'm a little surprised 2FA hasn't been implemented here yet—I thought it was a given.

    I have to admit, the lack of 2FA has given me pause about whether I really want to migrate my private repositories here or not.

    I've voted for this issue. It's concerning to me that this issue is considered 'minor' and has been open for more than a year. I look forward to seeing progress.

  30. Dodzi Dzakuma

    This is a serious question to the moderators of this thread. How many votes are needed to consider this a "major" or even "critical" priority enhancement. I'm sure the followers of this thread would be able to act accordingly to get the needed number of votes if a CONCRETE number was established.

    If possible please inform us of the number of votes needed to make it "major" and the number of votes needed to make it "critical".

  31. Kevin Doolan

    Dear Justen Stepka,

    As a paying Atlassian / BitBucket customer who is holding off transitioning over an entire company to BitBucket pending 2FA role-out, I would very much appreciate an update on this.

    "45-60 days" has come and gone and no sign of the feature or an update on progress. We held off going elsewhere based on this announced timeline. We can't wait forever so we're going to have to move on if this isn't coming real soon.

    I look forward to hearing from you. Failing that I'll assume 2FA is not happening.

  32. Sam Xiao

    This request was originally made on 2012 and it took them 2 yrs and still not added 2FA?

    I'll be leaving BitBucket if this is not enabled!

  33. Log in to comment
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.