Add SMS support for 2FA codes.

Issue #13177 open
Gary Sackett staff created an issue

An SMS option would be a great addition to the 2FA system on Bitbucket.

Comments (6)

  1. Jim Redmond staff

    Note: NIST is advising against SMS recovery for MFA codes:

    Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators. If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and may no longer be allowed in future releases of this guidance.

  2. Carlos A Vega

    Thanks for creating this ticket.

    If possible, it would be great if SMS (in addition to be a standalone 2FA method) works as a fallback to 2FA authentication via 3rd party app. Example, if the user is unable to use Google Authenticator (mobile device unavailable, etc), when the website prompts the user for an authentication it should offer as an alternative using SMS as the 2FA method.

  3. Carlos A Vega

    If SMS is not an option, how about 2FA via an authentication app such as Google Authenticator? Does that impose the same risks as SMS?

  4. Log in to comment