Option to disable username and password login (BB-13647)

Issue #11040 invalid
Bruce Li
created an issue

Mentioned by Brian Westrich in issue 7016:

If there was a checkbox I could click in my bitbucket profile settings that disabled all logins except those via my google account or ssh keypairs, I think I'd have all I need.

The lack of 2FA has stop many users from start or continue using BitBucket. While waiting for Atlassian ID implementation, disable email/password login can let users benefit from 2FA protection right away.

Comments (18)

  1. Jordan R

    I totally agree, the mechanisms are all there to provide secure logon, the real problem is that there is no way to disable insecure or unwanted logon types. Please consider adding a set of checkboxes to approve/disallow different each authentication type/source

  2. Norman Gray

    Voted for, but with the proviso that this should perhaps be retitled as "Disable all login except OpenID" (which I think is how the "google login" is actually implemented). Not all of us decide that Google is a desirable IdP....

  3. Bruce Li reporter

    Norman said:

    should perhaps be retitled as "Disable all login except OpenID"

    Had a think on it. The key point is that currently we can't disable the BitBucket "username and password" login, which is not protected by 2FA. Disable it (and unlink unwanted id providers) should be good for most cases.

    A set of checkboxes might be nice to have but not necessary in this requirement. But will be good to separate into a new issue.

  4. Brian Westrich

    Agree with your latest note, Bruce.

    Also, great idea setting up the new Issue to help us focus. Let's see if something good comes of it! I'm pretty happy with bitbucket, would hate to leave because of inadequate TFA support.

    Brian Westrich 612-508-1827 bw@mcwest.com

  5. Norman Gray

    Yes -- good edit: it's disabling the username/password that's the key point. Being able to disable IdPs that I definitely don't use would also be good, and in the same spirit.

    In fact, since I've only ever connected to Bitbucket by OpenID (I'm pretty sure), I think I don't have a password (can't get more secure than that!). Thus this is clearly a possible state within the current system, and an implementation of this might be as simple as 'deleting' a password.

  6. Scott Carpenter

    Excellent suggestion. This would help us continue to meet compliance requirements as well.

    Providing this feature will remove a major barrier to adoption for many enterprises for what (hopefully) is relatively little effort.

  7. Norman Gray

    @njb_said I don't much like Google either, and use pip.verisignlabs.com as my OpenID-based IdP. They support 2FA for the login to that service, so as far as I'm concerned, I already have 2FA-based authentication to the bitbucket website (and key-based ssh access for Mercurial pushes), so I'm happy.

  8. Jason Kanaris

    Since there seems to be no plan in sight to implement 2FA on BitBucket...

    Dear Atlassian: Please implement this feature so that we can force login via one of the OpenID providers you support, e.g. Google. This way I can use their 2FA.

  9. Log in to comment