Issue #18054 new
Jesse Yowell created an issue

Currently, there are sites that will allow 2FA / TOTP without having to add SSH keys for authentication. For Bitbucket, we'd need to expand this using SMS.

For now we only allow normal 2FA or FIDO U2F with use of SSH keys.

Comments (1)

  1. Joel Parker Henderson

    Thank you. I appreciate your help with this.

    The technical goal is to separate the web GUI MFA from the SSH key upload, because I need this separation for devops automation.

    The business goal is to make it secure and easy for a manager to start using the Bitbucket web GUI with strong sign-in security as provided by Authy. For example add the capability for a new user to sign up, then immediately add Authy, without needing to do any extra steps such as creating an SSH key then uploading it to Bitbucket.

    In case it's relevant or helpful, here's context...

    This approach of MFA-first is how we're using similar services, including GitHub, GitLab, Azure Repos, and AWS CodeCommit.

    My technical understanding is that there's no reason the web GUI MFA would need an SSH key. For example, I use Authy with many sites, and all of these have Authy MFA capabilities without needing an SSH key. For example, I use SSH keys with many sites via a command line interface (CLI), without needing a web GUI MFA.

    I'm writing devops tooling, and I have a strong preference for making the web GUI MFA wholly independent of any CLI MFA and/or API MFA. In case it's relevant, I'm using SSH keys that already have multi-factor authentication i.e. the private key file plus a password. The password is stored in RAM environment variables, and managed using Vault by HashiCorp.

    Your feature request mentions using SMS. I agree that SMS could be one way to implement this. For my users, I would prefer a non-SMS implementation, because SMS is not high-security and also not high-reliability for global users. If your team is open to considering implementations, how about a higher-security solution such as Signal? Signal is excellent for high-security, and for high-reliability global use cases, and high-automatability for devops of the kind I'm writing.

    Thanks again for your help and consideration. Feel free to contact me if I can be of any assistance to make progress together.

  2. Log in to comment