1. Bitbucket Website
  2. Public Issue Tracker
  3. master

Issues

Issue #5811 resolved

Support two-factor authentication (BB-7016)

bano6010
created an issue

Hello,

It would be awesome if you could give users the option to protect their Bitbucket account by using a two-factor authentication system.

It would be epic if you used the Time-based One-time Password (TOTP) algorithm specified in RFC 6238(https://tools.ietf.org/html/rfc6238) so it would work with Google Authenticator app for just about every mobile platform.

Thanks for providing a great service! Happy Holidays.

Comments (427)

  1. Sloan Looney

    +1

    Our board is asking me to report on the security of our source code and it's hard to convince them that putting it on the Internet protected by a username/password is sufficient. 2nd factors would make that conversation much easier. Using Google Authenticator is a great idea.

  2. Andre Rabold

    This feature will make most sense if I can enforce the use of 2-Factor Authentication for my team. Otherwise it's not very useful as people tend to be lazy and just "forget" to enable it themselves.

  3. Bradley Bergeron

    I love Bitbucket and have been using it for basically every repo I've made since I discovered it. I've also become a huge two-factor advocate over the past year. Please support this!

  4. Justen Stepka

    Official update:

    Atlassian is currently building an SSO system similar to what Google has for their business products to link all our offerings together, dubbed Atlassian ID. One of the longer term items on that roadmap is two factor authentication. Right now I cannot offer an ETA for two factor auth, however I can say that Atlassian ID will be a big leap forward and allow us to give teams a much better user experience when using multiple products. For those of you using Google Apps, that may be an option for you once we roll out Atlassian ID.

    Cheers, Justen -- Bitbucket product manager

  5. Andrew Shu

    Please stop spamming +1 in the comments.

    We no longer track "+1" on issues. Please use the vote link at the top right side of the page.

    Cheers, Marcus Bertrand Bitbucket Support

  6. ywliu

    Since a brute force attack on github led to many compromised accounts, I hope bitbucket now can start thinking about heightening this priority of this request.

    Thanks for your attention.

  7. Dodzidenu Dzakuma

    You probably already know this but here is some information about the attack on one of your biggest competitors

    http://www.theguardian.com/technology/2013/nov/21/github-accounts-compromised-in-brute-force-attack

    http://www.theverge.com/2013/11/20/5126906/weak-github-passwords-lead-to-account-security-breach

    The sent out e-mails to users who had weak passwords and those that may have been compromised. Those using two-factor verification where safe. I have two-factor authentication enabled on my GitHub account.

    Seeing how the attacker(s) used multiple IP addresses over a period of several days to hack in, it is hard to track making most sites vulnerable.

    I think it's about time that you changed priority of this issue from "Minor" to "Do it immediately to protect our business, our assets and our investors."

  8. Adrien Saladin

    Until this feature is implemented, an option is not to use your password to log into your bitbucket web account but instead use any identity provider already using 2FA, like google, facebook, twitter, github, ...

  9. Adrien Saladin

    @babbosilva Yes this feature is missing, and I voted for this. My suggestion was to mitigate the problem for the web part.

    On your trusted computer you can use ssh keys, that would prevent someone looking over your shoulder.

    On untrusted machines, well I don't really want to push code or download private projects, and I don't need authentication for getting public projects.

    So I see one issue left: when pushing code for public projects from unstrusted computers.

    There may however be other use cases.

  10. Andrew Somerville

    I'd say that there shouldn't be the concept of trusted and untrusted machines; only more trusted and less trusted. From that perspective 2FA is relevant in the other stories as well.

    And as I side note it's probably even possible to connect to the ssh agent to a 2FA system adding a layer there.

  11. Wojciech Piekutowski

    Wow this ticket has only "minor" priority? It sounds like priority of keeping our source code safe is also "minor" for the Bitbucket team. Guys, seriously, do you really need to get hacked before you implement this? Why not learn from competition mistakes and make it the most important feature?

  12. Martijn Heemels

    Wojciech Piekutowski To be fair 'being hacked' isn't really the issue with this ticket. Password authentication has been an accepted authentication method for a long time and isn't suddenly unsafe, even if it could be improved. It's the responsibility of the users, not Atlassian, to use strong and unique passwords to avoid abuse of their repositories.

    If you can't trust someone to properly secure their account you can't expect them to properly use two-factors, right? Don't give them write access to your central repos and adopt a clone->pull-request workflow or something. Sure I would like to see 2FA implemented but 'most important'?

    Atlassian's main security focus should be making sure there's no other way to get to our code, such as bugs. Things that us users have no influence on, and could allow bypassing authentication or authorization, such as the March 2012 Homakov exploit at GitHub.

  13. Jacob Gable

    Martijn Heemels Nobody argued that passwords weren't an accepted authentication method or inherently unsafe, you are making a straw man argument. This ticket is about providing an extra layer of protection in case a security breach occurs.

    You're reasons provided for focusing on other things seem short sighted and full of hubris considering the surface area of dependencies that a site like bitbucket has for attacks, but the end is important in all things. If you never get hacked, you're right; but if you do....

  14. Sundeep Malladi

    Martijn Heemels Adding two-factor authentication doesn't mean that Atlassian will not continue contributing resourcing to plugging potential security holes.

    And while passwords may be an accepted form of auth, it's always been less than ideal as a method to confirm a user's identity. We can do better and this is an opportunity to do just that. Note too, Atlassian is now a latecomer to the 2-factor auth party, with Google, GitHub, Dropbox and a host of other online services using this approach to safeguard their customers' data.

  15. Martijn Heemels

    Jacob Gable I've edited my comment to be a response to Wojciech Piekutowski which I meant to do in the first place. The tone of his comment and some others was unnecessarily sensationalistic which usually does not to help the ticket forward. Hyperbole only clouds the issues.

    Please do not assume that my comment meant I think 2FA is not important. I would like a higher priority too. However, in my opinion it is definitely not 'the most important'. Your opinion may differ of course.

    If we want this ticket to get more attention, a useful method would be to get more upvotes. Will everyone who commented with '+1' please make sure they've upvoted the ticket (top right), and convince others to do the same?

  16. Andrew Somerville

    Edit: I wrote my response before seeing your latest. I'll leave it for posterity anyway.

    To be fair 'being hacked' isn't really the issue with this ticket.

    Martijn Heemels, respectfully, I disagree. "Being hacked" doesn't need to happen via some high tech means. Password guessing, shoulder surfing, and keylogging all count.

    Password authentication has been an accepted authentication method for a long time and isn't suddenly unsafe,

    Again, I completely, respectfully, disagree. When passwords were used on small low profile systems, the were less important because of the cost involved in identifying and customizing attack to a target. Now that large amounts of extremely important valuable information are "in the cloud" on public, high profile, highly aggregated targets, accounts on those services are at higher risk.

    Passwords have always been a terrible authentication method, there just weren't many other viable options.

    It's the responsibility of the users, not Atlassian, to use strong and unique passwords to avoid abuse of their repositories.

    This is completely wrong. Atlassian is the only one who can improve the security of Atlassian products. They are responsible to their customers & users to implement best practices. No one else can do it for them.

    2 factor is not a fringe idea. It's main stream and done by most of the big players.

    Atlassian's main security focus should be making sure there's no other way to get to our code, such as bugs.

    This is a low hanging fruit which cuts down on one of the weakest parts of the attack surface. There is every reason to make this high priority.

    Fortunately it's at least on the radar as they mentioned above that it will be part of Atlassian ID that they're working on.

  17. Wojciech Piekutowski

    Martijn Heemels the only answer I'd like to hear, as a customer looking for a GitHub alternative, is: "2-factor auth is going to be introduced on insert_exact_date_here". I'm pretty sure all the "unnecessarily sensationalistic" comments about "being hacked" will stop once a precise date (or at least an estimate) is announced here.

  18. Wisteso

    The previous company I worked for, and my current company will likely be moving away from Bitbucket due to lack of support for 2FA. The simple matter is that no one is perfect and a service like BB needs to stay current in the methods used to protect against security breaches. People get hacked by exploits that haven't been patched yet, laptops get stolen/lost, etc.

    The lack of a higher priority, or any recent information about a timeline for this feature indicates to us that Atlassian isn't too concerned with protecting the extremely delicate value of the I.P. that is stored on their servers. It's very unfortunate because I generally like Atlassian's products, but preference matters very little when your I.P. is at risk.

  19. James Mills

    Ditto to both Wisteso and Aaron I may have to consider seriously moving away from Bitbucket as well. It's just a shame Github doesn't support Mercurial repositories :/

  20. Scott Roberts

    Oh please tell me this broader effort will also add SAML support along with MFA/OTP. You guys are behind in auth and identity management. I hope you guys get this right. As mentioned by Ben McCann if you implemented SAML, I could bring my own MFA/OTP.

  21. catskul

    Weekly reminder: +1 isn't tracked anymore and produces noise to everyone subscribed to the ticket. Please use the "vote" link/button in the box at the top right.

  22. Belai Beshah

    We are also waiting for this and would like an update of when it will be available. I agree with Zack Moore in that it will still not be useful until the team membership can enforce it since what stops a user from turning 2FA off.

  23. Anonymous

    Absolutely. Not having MFA becomes more and more of an issue these days. I just can't trust the password-only system, no matter how hard I protect (and I do) all my passwords.

  24. Bruno Durán

    This feature is currently in the works and will be released in about 45-60 days as part of >our on-going effort to revamp Bitbucket / Atlassian's authentication systems for all >OnDemand products. Cheers, Justen -- Bitbucket product manager 2014-01-29

    Hi there all people, ~62-63 days since this announcement.

    Regards, Bruno

  25. Keith Morrow

    eq_pe a feature like this, especially against an established codebase, certainly takes longer than a few days, certainly when you want it to be done right. And this is a security feature; you want those done right.

  26. Calrion

    I've just arrived from GitHub, and frankly I'm a little surprised 2FA hasn't been implemented here yet—I thought it was a given.

    I have to admit, the lack of 2FA has given me pause about whether I really want to migrate my private repositories here or not.

    I've voted for this issue. It's concerning to me that this issue is considered 'minor' and has been open for more than a year. I look forward to seeing progress.

  27. Dodzidenu Dzakuma

    This is a serious question to the moderators of this thread. How many votes are needed to consider this a "major" or even "critical" priority enhancement. I'm sure the followers of this thread would be able to act accordingly to get the needed number of votes if a CONCRETE number was established.

    If possible please inform us of the number of votes needed to make it "major" and the number of votes needed to make it "critical".

  28. Kevin Doolan

    Dear Justen Stepka,

    As a paying Atlassian / BitBucket customer who is holding off transitioning over an entire company to BitBucket pending 2FA role-out, I would very much appreciate an update on this.

    "45-60 days" has come and gone and no sign of the feature or an update on progress. We held off going elsewhere based on this announced timeline. We can't wait forever so we're going to have to move on if this isn't coming real soon.

    I look forward to hearing from you. Failing that I'll assume 2FA is not happening.

  29. katzmopolitan

    Any updates on this? Looks like it's been in the queue for a long time and seeing all those news articles about security breaches is not reassuring. Looks like this issue is marked as priority "Minor". Maybe it's time to reconsider the priority?

  30. Jeronimo Backes

    +1 Please implement this. It would be great if google authenticator becomes supported (it does not need to be the ONLY additional authentication mechanism, not everyone likes it)

  31. Sasha Kotlyar

    2FA using TOTP or HOTP would be better than proprietary systems, because they're open standards and there are existing apps on every platform that support these mechanisms.

  32. Ted Jardine

    Sasha,

    Hah! At this point (almost two years since the OP), anything would be nice.

    Having said that, I hook mine up with Google apps which does have it, so I'm getting it on bitbucket...sort of.

  33. Sasha Kotlyar

    Ted,

    This issue has one of the highest vote counts, so I'd expect that at the very least it hasn't been forgotten.

    I also use the Google OAuth login for BitBucket, but as long as we still have the "standard" password login, that remains the weakest link, and that is what everyone here wants addressed.

  34. Gary Kramlich

    Forcing 2FA for web login would be awesome, but I'd like to see it go further and require it for pushes. Either at the repository level, the user level, or the ssh key level.

  35. Carl Sargunar

    I've got to say, I've been following this for so long and have been using Bitbucket for a while. I've not created any new repositories on Bitbucket as a result and have been using Github. I'll be using Github for all new work I create, and slowly my allegiance to bitbucket will wither and die ....

  36. mopsusm

    2 years... 574 votes, 172 comments, wow long thread. Here's another +1

    I looked around a bit and it looks like you can create a Bitbucket account using just a Google account which would give 2fa for all access as best as i can tell. Also once you have a Bitbucket account you can set up to authenticate using a Google or github account again giving you 2fa via the third party. Is there and way to fully remove the ability to log in with bitbucket username and password in favor of third party auth once the account has been created?

  37. mopsusm

    Maxim, my apologies, I didn't mean to come off like a troll. Butbucket is a great product, just needs 2fa for Google authenticator or duo integration or something.

  38. cheapRoc

    Do really want. Security and privacy come first. Thanks.

    This should be a mandatory "all hands on deck" kind of feature... j/k bet you cringed? ;)

  39. Henrik Pedersen

    What the fuck? How can this still NOT be implemented? We are living in 2014!! I have lots of respect for Atlasssian but this is like a car without any kind of security. It might work, and even run great, but hell yeah it's gonna get stolen and you might die if you get into a crash..

    So make it available in paid plans only. We don't care. We will throw our money in your face. But it's kinda of a big deal to us and we might have ti migrate to Github...

  40. Samurai Ken

    Well.. it looks like I will be migrating to GitHub after all. I liek Atlassian, and I like the tool - but honestly this approach of just ignoring critical functionality and being openly dismissive of our concerns is borderline insulting.

  41. Belai Beshah

    Sad but that is the same conclusion we have come too after waiting for 10 months for this bug to get fixed so that we can have better integration with our OnDemand JIRA/Confluence. We have now started the process of moving to github instead. We also wanted the close integration with Bamboo with remote slaves too and another feature ignored by Atlassian PM while they develop stupid GUIs that color the developers initial ☺ so looking for something else there too. It just looks like they don’t care about providing an integrated developer’s platform(ticket/code/wiki/build/testcase).

  42. Chris Graham

    I heard that HBO's "Last Week with with John Oliver" is highlighting this as a “How Is This Still a Thing!” segment.

    So lame to not have this feature. I guess it will take a successful attack on their system to have it implemented.

  43. Peter Rocker

    Appalled that this isn't done after 2 years, especially considering the total lack of updates from Atlassian on progress. Have already stopped recommending BB to clients, and will be moving all my repos to Github (although it pains me!) next time I get a free few hours. Plus, the attitude Atlassian have towards this issue reflects poorly on the whole of their organisation!

  44. Andrew Wied

    total lack of updates from Atlassian on progress

    This is the most frustrating part for me. The people who use Atlassian's tools are developers. We understand that priorities change or that there may be unexpected impediments to progress, but we don't get to just ignore our customers when they ask for updates. I was a huge promoter of the Atlassian suite of tools to my clients, including Bitbucket, and I really want to recommend them again... But I've been following this issue since 2013 and have seen Atlassian respond once, promising the feature shortly and then complete silence afterward.

    I guess after all this time waiting in silence I just feel disrespected by having nobody comment periodically on the progress (or even lack of progress) on this issue. This isn't a minor item, and it is in everyone's best interest, both Atlassian's and us users. It would take a person a few minutes of time every few weeks. Atlassian, come on. Your customers are at least worth that.

  45. Tom Gillett

    I asked an Atlassian representative about this at a conference recently. They were aware of the issue, and mentioned that progress had been made but shelved pending the implementation of a universal logon for Atlassian services.

    Whether that is the case or not I don't know, but it did give me some hope that 2FA may still be in the pipeline.

    For all we know, the Bitbucket devs may be as frustrated as we are!

  46. George Mauer

    The silence is exactly the issue here. This, (along with a similar thing happening with hipchat multiple-account-login) is actually the biggest mark in the "cons" column for moving our whole company to Jira

  47. hvaoc

    This one issue is weighing my recommendation to use bitbucket down among my peers. It's easy to implement few hours (probably few days), good thing is you don't need to implement anything for the client tools. People are comfortable using authenticator apps from Google, Microsoft or Authy.

    And the good news is I implemented this for my website (written in node.js) on my way to work by bus (in sweet 15 mins). And now I have 2FA (TOTP) for my own websites admin area.

    Common folks at Atlassian, you can do better.

    Give us a reason to smile.

  48. Matthew Jewell

    I don't make assumptions about how easy 2FA is to implement within a system of the scale of Atlassian. That said (as a long time follower), the most frustrating thing about the response or lack thereof to this issue is the "minor" priority it has been given. Enough has been said about the importance of 2FA for each of us, but what really confuses me is how this issue remains of minor status when I would think it enough that a) your largest competitor has it and b) the continued activity of this thread is evidence of the support for it from the community.

  49. Peter Rocker

    Yeah the last time Atlassian posted here about "Atlassian ID" was October 2013 - still over a year ago. I understand that a universal login is a big nice-to-have, but sacrificing implementing a more basic 2FA system for this in the meantime seems (in hindsight at least) a bad move.

    Perhaps we could have an update on the progress of Atlassian ID, along with a promise that it will include 2FA in its first release?

  50. Maxim Rybalov

    Tom Gillett Yes, they've been talking about Atlassian-wide SSO for probably over a year now.

    Everybody else, please don't just write "+1". That's useless to Atlassian for tracking and annoys everybody that subscribed to this issue.

    Instead, make you click on Vote in the top right corner of this page.

    Additionally, public shaming on Twitter is in order. Head to https://twofactorauth.org/ and click on the blue twitter button next to Bitbucket entry.

  51. Jens Schumacher staff

    Official update

    Thanks for the feedback and sorry about the lack of response. The issue with providing updates on our progress is that estimates are just that, estimates. We prefer not to set false expectations, which we've done enough of in the past unfortunately.

    What we can do is provide a bit more detail on our current plan: We are continuing our work on an Atlassian wide identity service. At our scale, this is not a trivial problem to solve across the number of products and services we have.

    2FA is unlikely to be part of the initial SSO roll-out since it would delay the release even further. But it is on the roadmap after the initial release.

    Why are you waiting for the identity service instead of just implementing it in Bitbucket? We've considered this option, but it would likely result in a different implementation for Bitbucket which we then would have to migrate to the solution provided by the Atlassian-wide identity service.

    A year ago we truly believed that the identity service was only 3-6 months out and we've made the decision to wait instead of duplicating the effort. Unfortunately things changed and if we would have known at the time how much longer it would take us to deliver the service, we probably would have gone ahead and implemented it in Bitbucket first.

    I hope this provides a bit more insight into our plans for 2FA.

  52. Willie Zutz

    Well that sure is a pretty disappointing update.

    Sounds like we're still many months away from 2FA. Guess it's time to start investigating moving to another service. Not that you care about losing my free account.

  53. scottheckel

    They should care about losing your free account. A free account turns into paid accounts and advocates who bring Bitbucket to their organizations. I for one would never pay for Bitbucket without 2FA.

  54. Adam K Dean

    We are identifying paid accounts, and this is a deal breaker, so yes, there is lost business. I like that the pricing here is team member constrained and not repository constrained like GH, and that it integrates into JIRA naturally, but this is a deal breaker, no two ways about it.

  55. Henrik Pedersen

    It's really a sad update. But.. Well.. I really like your service. If you could just update us more often...

    I will be waiting for it to roll out. It's a very big deal. I myself have a 80 character password or so, but I can't guarantee that my teammates will have the same, and neither will help us when our keys get stolen by malware..

    We considered Github, but it's too late for us now lol.. We've fallen in love with the Atlassian way of life.

  56. Samurai Ken

    This had been a real problem for me until recently. But the landscape is changing a LOT.

    I am not a fan of the GitHub service and so Bitbucket was a core tool for me. However - Microsoft has started hosting free private Git repositories as part of their Visual Studio online initiative. You do not need to use VS for these, by the way - it is regular git and I use it for node.js projects as well. They have agile planning, bug tracking and so on with it. it is actually pretty good.

    Obviously, two factor auth is supported.

  57. Anonymous

    Happy New 2015, Atlassian. Still no MFA. Shame on you and I don't care what kind of excuse or broken promise you have this time. Just shame on you.

  58. Marco De Bortoli

    Guys take a read to the board, they already gave an update:

    Official update ## by Jens Schumacher

    Thanks for the feedback and sorry about the lack of response. The issue with providing updates on our progress is that estimates are just that, estimates. We prefer not to set false expectations, which we've done enough of in the past unfortunately.

    What we can do is provide a bit more detail on our current plan: We are continuing our work on an Atlassian wide identity service. At our scale, this is not a trivial problem to solve across the number of products and services we have.

    2FA is unlikely to be part of the initial SSO roll-out since it would delay the release even further. But it is on the roadmap after the initial release.

    Why are you waiting for the identity service instead of just implementing it in Bitbucket? We've considered this option, but it would likely result in a different implementation for Bitbucket which we then would have to migrate to the solution provided by the Atlassian-wide identity service.

    A year ago we truly believed that the identity service was only 3-6 months out and we've made the decision to wait instead of duplicating the effort. Unfortunately things changed and if we would have known at the time how much longer it would take us to deliver the service, we probably would have gone ahead and implemented it in Bitbucket first.

    I hope this provides a bit more insight into our plans for 2FA.

  59. Janwillem Swalens

    To everyone replying "+1": note that there are 377 people watching this issue, meaning that every +1 is sent to the inbox of 377 people. A +1 does not add anything to the conversation, it only makes official updates harder to find.

    Instead of replying "+1", vote for this issue at the top of this page.

  60. Jens Schumacher staff

    Please note that the priority of issues is set by the reporter and does not necessarily reflect Atlassian's internal priority.

    However, since there have been a number of comments regarding the priority of this issue, and to avoid further confusion, I've adjusted the priority to better reflect our internal priority.

  61. gpoul

    FIDO U2F would be awesome and actually still state of the art right now, but considering how old this feature request is I'm not going to hold my breath.

  62. Robert Simmons

    Please add support for both TOTP and FIDO U2F. This would create an ideal situation. Users with Yubikey can authenticate and users that have not purchased Yubikey can still use free apps like Google Authenticator and Duo.

  63. Henrik Pedersen

    I took a look at all the other issues on here. For a company that's selling developer tools they got the slowest possible release cycle on earth. There has literally been multiple versions of Windows between single features by Atlassian.

  64. Ryley Kimmel

    I have moved a private project from here to Github because Github actually offers 2 factor auth; this is a really great service but I simply will cease to use it if I cannot ensure the safety of my account.

  65. Anonymous

    No, no, forget about Google Authenticator. Authy is so much better: it has Chrome extension, supports multiple devices, backup and restore of accounts, and a PIN lock. Plus account icons to make them clear and visible. Google Authenticator doesn't even come close to it and deserves to be abandoned.

    Anyway, too bad we can't use any of these apps with Bitbucket.

  66. Adrian Kimmitt

    Please start a new thread for your opinions. This thread is for the request of TFA implementation, and others supprting it. TFA = Two Factor Authentication! If you have chrome extension, then when you loose your laptop they have access to everything. The point of TFA is to use a different device to authenticate the main device. There is no point to have TFA, if your just using a single device.

  67. Maxim Rybalov

    evgenyg , almost everything you listed "positive" about Authy goes against the idea of proper 2-factor authentication...Having said that, this isn't a proper place to discuss merits of various 2fa solutions, so let's stop that discussion.

  68. Tyler Mapp

    The issue still stands that they have no concern for the users. Despite the uptick in chatter on this their presence is few and far between. 

    — Sent from mobile device.

  69. Robert Simmons

    evgenyg As the previous post mentioned, Google Authenticator, Authy, Duo sec, and many others are all implementations of a client for RFC 6238 TOTP second factor auth. The server side is the same for all of them. You, as the user, would be free to choose whichever client software you like.

  70. Michael Johnson

    I know that there is a drive to get a "perfect" solution in place, but it shouldn't block implementation of a good solution in the meantime.

    It would be perfectly fine to set up a minimal method of 2FA using TOTP and requiring keys to access repositories directly as a starting point. If someone is knowledgeable enough to configure 2FA, they are likely already using SSH keys for git and mercurial access or are capable of getting that set up.

    Simply allow users to enable extra security for web logins and require OAuth for API access and SSH keys for direct repository access if that's enabled. You already have the mechanisms in place for the API and repositories, so with a little warning about what will need to be changed for users, it would be possible to put something in place sooner rather than never.

    It's been just over two years now since this issue was opened, so please see what's practical to do right now as you're behind the curve on security measures for your users and falling further behind every day.

  71. Brian Westrich

    Great practical ideas. Leveraging these, here's a suggestion of a (hopefully very simple) enhancement to bitbucket that might resolve these security deficiencies.

    I currently use ssh keypairs to access my bitbucket git repos (good stuff, in some ways stronger than a typical TFA setup). I can also log into bitbucket using my google account, which is already protected by TFA.

    If there was a checkbox I could click in my bitbucket profile settings that disabled all logins except those via my google account or ssh keypairs, I think I'd have all I need.

    Am I overlooking something else that would be needed to enjoy TFA or stronger authentication while using bitbucket?

    Brian Westrich 612-508-1827 bw@mcwest.com

  72. Jared Devers

    The Bitbucket team has wasted a significant amount of time waiting on the build of Atlassian ID when there are plenty of other Open ID / 2FA solutions out there that could have given us what we needed sooner and bolted on Atlassian ID later once it was actually ready.

  73. Henrik Pedersen

    Since this is not getting done anyway, we might as well have some fun in this thread. And I will start: Guess who should definitely get an award for worst email signature ever?

  74. Zachary DuBois

    Lol. He should edit his comment. It is very spammy even though this thread is sent to 430+ people for each reply. I am really surprised they haven't updated this thread yet.

  75. Thomas Pasch

    Guten Tag,

    meine Zeit bei Novabit geht/ist zu Ende. Dieses Postfach wird nicht mehr regelmäßig gelesen und die Mails nicht weitergeleitet. Benutzen Sie für einen Kontakt die auf der Webseite www.nuclos.de angegebenen Möglichkeiten.

    Mit besten Grüßen

    Thomas Pasch

  76. Shawn Kelly

    I am currently out of the office and will be returning Monday, April 6th.

    Thanks

    ################################################################ NOTICE: The contents of this e-mail and any attachments to it may contain privileged and confidential information from the Sender’s Company or its affiliates. This information is only for the viewing or use of the intended recipient. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of, or the taking of any action in reliance upon, the information contained in this e-mail, or any of the attachments to this e-mail, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by replying to this message and delete it from your system.
  77. Lee Zumstein

    Would love to see this. Recently started researching options for migrating our locally hosted subversion repository to an online solution and Bit Bucket came up as a possibly great solution. However, two-factor authentication is a must for us for security reasons. Will have to look for other options until this feature is supported.

  78. The Digital Orchard

    Jen... are you serious? BitBucket allows 1-character passwords? That is inexcusable! The developer(s) responsible for that should be .... well, I'll stop there.

    Come on Atlassian... quit being silent on this issue. Your reputation is at stake. What is your plan to address this growing concern?

  79. The Digital Orchard

    I think what's most concerning about this issue is the silence from Atlasssian staff. The last response was February 1st. I know it can take time to properly implement such features, but it's been three months. Can we get a status update on this?

  80. Justin Klein Keane

    Recently, while working through a data security audit, the fact that Bitbucket doesn't support complex user authentication requirements came up as a major red flag. The evaluation was that using Bitbucket represents a serious data risk for any organization. While developers might love the functionality, legal, risk and compliance offices are appalled when they become aware of the poor authentication standards, especially in light of the intellectual property accrued in Bitbucket. How can companies assure customers of supply chain integrity if they use a code repository with such poor security? I'm sort of shocked that there are no options for enterprise customers, at the very least to enforce Atlassian (https://confluence.atlassian.com/display/JIRA/Password+Policy+for+JIRA) style account requirements. Are there really no options for enhanced security to assuage auditors?

  81. ba66e77

    Also, Bitbucket is VCS as a Service. Stash you have to host yourself. That’s an entirely different can of worms than using a hosted service.

  82. JM

    +1 (bano6010 created an issue 2012-12-25) its been 2.5 years with Snowden, CelebGate, and a hundred other hacking scandals in between. This is the most pathetic non-feature add I've ever experienced from a company. I could almost (ALMOST) excuse this if it was a startup with 5 or 6 people trying to add other features to gain customers early in their life cycle... However Atlasssian is a company that was valued at $3.3 BILLION dollars LAST APRIL.

    Come on guys, this is pathetic and your customer are suffering because of you. The LastPass hack that took place in the last couple of days along with the data of EVERY SINGLE federal employee being stolen in the last month at this point only serve to highlight how comically pathetic it is that BitBucket refuses to implement 2FA in 2015.

    Everyone watching this issue and receiving these emails should just drop the service and switch to GitHub in protest until Atlasssian proves they actually value their customers wants and needs by adding this feature. Its already too late for them to make this right. At this point they have to simply hope they can keep it from getting any worse.

    PS. Feel free to spam this board with +1 all you want. At this point that may be the only thing that actually gets these guys to take action.

  83. Zach Childers

    Our company has been with bitbucket a couple of years, and we have been patiently waiting for MFA. We have MFA enabled on all of our other services, yet our code base lacks this...it just doesn't make sense. After watching this thread for many months in hopes of a change, we just officially made the change to Github earlier today. I would prefer to stay with bitbucket, but instead are left with no choice but to leave and go to Github. I really can't believe how Bitbucket is being silent on this issue. It's unfortunate.

  84. Samuel Christie

    We're currently evaluating Microsoft's VisualStudio Online product which includes free, unlimited private repositories (either Git or proprietary TFVC). We've created our enterprise account and migration would be a snap. As an added bonus, they have free software development lifecycle tools built-in. We also have multi-factor authentication. The only thing that doesn't appear to be available yet is source code search (which Bitbucket is also lacking). So, as far as I can tell, there will be no compelling reason to stay with Bitbucket. I'm expecting that our team's decision will be to migrate to MS VSO in the very near future. I hope this helps some of you guys.

  85. Maxim Rybalov

    JM Please DO NOT encourage other people to spam this thread! frowning Atlassian does not decide priorities based on number of replies, but number of votes! If you want to encourage them to implement this, contact their board of directors, shame them on social media, take your business elsewhere, but spamming here is not helpful.

    Zach Childers you know there are more than just 2 services that provide hosted git repos.

  86. JM

    Maxim Rybalov Clearly Atlasssian does not determine its priorities based on the number of votes, because this thread has 1160 votes on a 2.5 year old issue that is marked as "Critical" and they not only have not fixed the issue, but they have gone out of their way to not even address it as much as they possibly can. This is pathetic.

    If you do not want to participate in this conversation and are satisfied with things the way they are, then you should stop watching this thread and receiving updates about it. Trying to shout down people who are demanding a change that in the Security and Privacy climate of 2015 is beyond warranted as table stakes for any serious online service only serves to show that you yourself are even more pathetic than Atlassian. I can only assume that you are a shill for the company that purposely trolls this thread attempting to quiet any dissent and honest conversation on this subject.

    You are the one who should stop commenting on this thread. NO ONE is making you follow this thread or participate in this issue if you are totally fine with things the way they are.

    Since this thread was opened it has been:

    • 2.5 years
    • 30 months
    • 129 Weeks
    • 905 Days
    • 21,720 Hours
    • 1.3 Million Minutes
    • 78 Million Seconds

    How long does Atlasssian need to address an issue that every single responsible web services company has addressed years ago.

    You should be ashamed of yourself for attempting to shout down those who demand to have their data protected. A companies codebase is its most valuable Intellectual Property resource. The fact that you think we should have to petition a board of directors or go to Twitter or Instagram rather than the Support and Services Forums of that company to demand this feature demonstrates how out of touch with reality you are.

    Please leave this thread if you are offended by hearing people voice their dissatisfaction with this issue. Believe me, you will not be missed.

    And to all my fellow customers who do not want to abide by this terrible policy and lack of respect for the BitBucket community, I say to you:

    SPAM AWAY MY FRIENDS! SPAM AWAY!

    +1

  87. The Digital Orchard

    Ironically, I switched to BitBucket after my previous Git hosting provider (CodeSpaces) was hacked into and had their business destroyed... overnight, literally. They failed to use multi-factor authentication at Amazon and one of their passwords was compromised. That business is no more. Gone.

    Does BitBucket really want to take a chance of their reputation being destroyed, or even tarnished, when implementing multi-factor authentication is an effortless (one day!) task these days? Or maybe there's stuff that we don't understand about their backend platform that makes it very difficult to implement?

  88. Ike DeLorenzo

    2FA / multi-factor auth (MFA) has certainly taken longer to deliver to customers than you would expect from a leading SaaS product like Bitbucket.

    As has been noted elsewhere, Atlassian will be rolling out an auth solution providing a single sign-on across our SaaS products. We are implementing this new sign-on technology in Bitbucket now, and 2FA/MFA will, soon after its launch, as a part of the security delivered by this solution.

    We also realize there is more to comprehensive security that just 2FA/MFA, and this is part of the reason for the delay in what would seem a simple addition to existing login. We are taking this issue seriously and we are in the process of acting on these very reasonable expectations. We want to address security comprehensively, with the understanding that source code is among the most valuable assets a company manages.

    We will keep the community current on progress on the Bitbucket blog, and here on this issue.

    Ike DeLorenzo

    PM, Bitbucket

  89. JM

    Ike DeLorenzo: I definitely appreciate your finally responding to this thread and providing an update to all of the concerned customers waiting for a solution to this issue. However on 10/7/2013, Justen Stepka, who was then the Product Manager of BitBucket said in this very thread:

    "Official update:

    Atlassian is currently building an SSO system similar to what Google has for their business products to link all our offerings together, dubbed Atlassian ID. One of the longer term items on that roadmap is two factor authentication. Right now I cannot offer an ETA for two factor auth, however I can say that Atlassian ID will be a big leap forward and allow us to give teams a much better user experience when using multiple products. For those of you using Google Apps, that may be an option for you once we roll out Atlassian ID.

    Cheers, Justen -- Bitbucket product manager"

    That update took place almost 2 years ago and we are still waiting on this solution from you. It would be very helpful to all of us if you could provide an actual date when we could expect this feature to be implemented rather than another "kick the can down the road" type response of "we are working on a full solution that will include 2FA at some point in the future so keep waiting."

    The best thing you can do for all of us is to provide a date (preferably soon since you have apparently been working on this system for nearly 2 years) when we can actually reasonably expect this feature to be a live security protection we can count on rather than a future pipe dream we are waiting for years down the road.

    Thanks.

  90. Sarah Pantry

    They only have a reputation as a joke. It’s 2015 and their security is still based in the 90s. I am pushing to move our company totally off all the Atlassian products we use as if they do not care about security then we do not want to tie our company to their soon to sink ship.

  91. Elvis Donald Attro

    This is just unbelievable still dealing with that kind of issue in 2015 and the latest LastPast hack just make this request more relevant than ever! Moving to bitbucket is no more an option for us because Without any decent 2fa/Mfa, Atlassian is not viable at all!

  92. Terje Elde

    While I do understand that these things can both take time and be hard to estimate, I think it's way overdue that the user base get at least a tentative schedule for the sign-on with 2FA/MFA. It might also appease the angry masses a bit if there's an indication of which tokens/protocols/solutions might be supported. Are people waiting for something that might not cover their needs anyway? There's a lot of options, from SSL-certificates, SMS-codes, TOTP (google authenticator), integration with third-party solutions (google accounts with 2FA?), FIDO, etc.

  93. Jim Allen

    We have recently added 2FA to our site. It took one developer 3 days to implement start to finish. There are well used and supported standard libraries and APIs.

    I just can't see a reason that Atlassian haven't added it. Surely security is important enough to them?

    I guess the only option is to look where

  94. alex paulson

    In the time since this issue was opened Gitlab.com started up, created a competitively featured product, AND implemented this very feature.

    Bitbucket, you are lagging WAY behind.

  95. Marc Delalonde

    I think the Atlassian team is aware of the priority of this ticket, so please add comments only for relevant updates. We are all frustrated about this problem, but please respect our mailboxes!

  96. Moshe Alfih

    While I agree with all the commenters that this should have been made, and still should be made, a priority (as in before EOM) rollout with or without Atlassian ID... And I agree that this can be implemented for Google Authenticator in 3-4 hours (I've done it in less)... And I agree that spamming this thread might be the only way to annoy SOMEONE at Atlassian to get a move on it (as less time will be wasted just fixing this rather than reading all these spam messages)... And I agree that a timeline is what we've been waiting for and "soon after it's [Atlassian ID] launch" is actually GUARANTEEING that they haven't even started, won't start until after launch, and we are looking at closer to Q3/Q4 at earliest...

    We, as security conscious users can move our code elsewhere, and get over this hurdle. We, as uninterested observers, can stop watching this thread and stop complaining about the spam (that as explained earlier is NECESSARY). And finally, we as a whole, can update our passwords to 32 character strings (effectively disabling login) and use Google login instead with MFA. This will prevent brute forcing (as it is unlikely a hashed password of that length can be reversed anytime in the future), and we will never type in the password to be exposed to a MitM attack or a spoofed website. (Granted, Atlassian can offer the same "natively" by either solving this or Issue #11040 in a timely fashion.)

    Am I missing something? Feel free to chime in.

  97. Ben McCann

    What the heck is going on with Atlassian ID? Is it even being worked on? It's supposedly been coming for years. It's absolutely insane that you expect your customers source code to remain insecure for years until some vaporware project is released. There needs to be a public roadmap and public commitment to a date on this or we're leaving Bitbucket

  98. JM

    Marc Delalonde: The Atlasssian team may be aware of the priority of this ticket, but that has not yet (in 2.5 years of false promises) led them to actually take action on it in any meaningful way. Perhaps only something like having this thread make the front page of Reddit or TechMeme will cause them to actually invest the few hours to protect their customers before the months or years it will take to complete their mythical Atlasssian ID system. Clearly they like publicity when it comes in the form of valuation boosting splashy feature ads such as this from last week:

    http://techcrunch.com/2015/06/11/atlassian-opens-its-bitbucket-code-management-service-to-third-party-extensions/

    but when it comes to table stakes security enhancements that customers have been demanding for years all we get is more empty promises for future features that they deem large enough (Atlasssian ID) to warrant a press release on TechCrunch.

    Please respect our right to voice our dissatisfaction with this issue that has now dragged on for 2.5 years in the Issues Forum of that company. If getting a couple of emails is such an inconvenience to you that it far outweighs actually getting a 2FA implementation from Atlasssian ASAP, then you should probably not be watching a thread that is based on that subject.

  99. JM

    Ike DeLorenzo: We are all still patiently waiting, with baited breath, for an update from you regarding a time table (actual ship date) when we can reasonably expect this feature to be added to the login chain for BitBucket.

    Thanks.

  100. Vincent Luddington

    I think there's two things that need to be said here.

    To the community: Bitbucket provides a free service, and for most people it works, there's a number of reasons to use Bitbucket and a number of reasons not to. That said, I suppose we're getting what we pay for. If security is a big concern for you then not having two-factor authentication is a good reason not to use Bitbucket.

    There are many options and solutions available to you for source control and Bitbucket is not the be-all-end-all for your needs. You can and probably should move onto other services if you're not satisfied with the way things are working out. Migration might be a PITA but there's nothing wrong with jumping ship and going to the boat that floats best for you. Bitbucket is under no obligation to us to implement X feature just because we spam a thread. We're not being given a disservice here, there is no outrage to be had, we're using the service because we chose it, a choice that can easily change. It's on Bitbucket to decide whether or not it still wants its community to keep betting on their horse.

    Still, that said. There isn't anything bad with hoping for more. Nothing at all. It's when we expect it is when things approach entitled ground. The enterprise and paying customers though, you've got some legs to stand on.

    To Bitbucket: Wake up. It's 2015, recent events over the past few years should have awoken a raging beast within admins and engineers everywhere barking that security and customer data integrity should be the forefront of a webservice based business. You can't just toss things behind ssh, https and call it a day. It's an ongoing, everyday process that will never end. The bad guys are working round the clock trying to kick over the walls you put up and eventually one of them will bring a ladder. Two-factor authentication isn't the end of security measures but it's a good step in the right direction. The community is asking for this feature, many people call it a deciding factor to use your service, the ball's in your hands here, you can't just refuse to play. Someone malicious out there will eventually tackle you and you'll be licking your wounds with regret. Do you want a satisfied user base? Do you make money when people use your service? What would happen tomorrow if all traffic to your service stopped? I'm not saying this is happening but just trying to reiterate that your community is a part of your model, nothing wrong with doing right by them. Your call though.

    You have a fantastic service and we're all glad and very grateful you provide it openly for free, the ease of use, the flow, the tools provided are perfect for scalability of project management. I enjoy many things about the service and have made my choice to move here from GitHub because of the private repo feature. Thank you for that. Still, just a little bit further to go from awesome to epic. You're like a skater doing a 1080 double kick-flip to christ-air off a halfpipe, just need to stick the landing.

  101. Maxim Rybalov

    To the community: Bitbucket provides a free service, and for most people it works, there's a number of reasons to use Bitbucket and a number of reasons not to. That said, I suppose we're getting what we pay for. If security is a big concern for you then not having two-factor authentication is a good reason not to use Bitbucket.

    Vincent Luddington, except Bitbucket is not a "free-only" service as can be easily seen on https://bitbucket.org/plans. Quiet a lot of people in this issue are/were/will be paying customers.

  102. Chris Knight

    The reason this is such a hot topic is because we basically trust them with what accounts for the bulk of our corporate IP and pretty much all of the companies value. If it gets hacked a lot of companies are going to be in big trouble. This is much more than just another feature! I wonder if they will refund what we have paid if this does happen because it might as well have been an open source project.

  103. Alexander Huth

    2FA is a powerful feature but it will not make BitBucket unhackable and its absence does not make your private repos public.

    Choosing to use a third-party service for anything, paying customer or not, means accepting a certain amount of risk that the service will be compromised. Spreading FUD on this issue page is almost certainly not the most expedient way for you to mitigate that risk.

  104. Chris Knight

    Nothing will make it bullet proof but they should at least follow best practices when holding such important data. I would term this feature as best practice in this field. What frustrates people is them spending time on frivolous vanity projects whilst this is left undone. Make no mistake we are planning on leaving the full Atlassian stack due to their lack of attention to such issues.

  105. David le Blanc

    I'm genuinely concerned that this topic has been active for four years, and still isn't resolved? Even the open source gitlab products support two factor authentication (as does the hosted version) I have a paid enterprise account including Jira/Confluence/Bamboo.. I'm thinking it's high time to move.. I'll be voting with my feet and my wallet unless Atlassian shows a modicum of initiative and at least tries to catch up!

  106. Ryan Choi

    Agree with most of the sentiments here; To folks +1ing, press the "Vote for this issue" button on the top right of this thread - if you haven't already!

  107. Ted Timmons

    Please stop adding +1 as a comment. You're spamming 500 people who are watching this ticket, 99% of who are simply annoyed and can't do anything about it. Instead, 'vote' for it at the upper right. Please. You're computer-saavy enough to be interested in 2FA and git repos, you should be aware that "me too" posts are annoying and useless.

  108. Moshe Alfih

    Egor, I disagree 100%. The simple benefit is that the password is NOT stored in a password manager. LastPass has been hacked for example, and while the data hasn't YET been decrypted, it doesn't mean it won't be possible or that a high value target won't warrant the effort. Local password managers are susceptible to virus infection as you mention. It is not practical to create a SECURE password AND remember all the unique ones. While a 2FA app is a password manager: (1) it's not on the same machine, and on a mobile device which to date is more secure/less targeted than your typical PC (2) the password part CAN be remembered. Thus a virus on your PC can get your password and even your 2FA code, but that expires within minutes. (To partially address this, some providers do not allow two logins with the same token -- you must wait and use the next generated token.) Malware on your phone can, assuming it breaks the sandbox, access your 2FA shared key (same as theft, except not as obvious), but not your neurons. Hence it is called 2 Factor Authentication. You are correct that if misused, 2FA may end up being just one (example, you save the QR code that sets up your device on your PC, and also store the password on the same PC).

    In addition, 2FA makes brute force useless -- even if it is distributed attack from unique IP addresses and they fail to lock the account after X attempts. They would need to brute the password, and MULTIPLE different token sequences, and then reverse the shared key that generated these sequences.

    I concede that setting a random strong password might be as good as 2FA -- if you don't save it anywhere and just use SSO from a provider that takes security seriously. See above where I recommended just that.

    Bottom line, I trust the security experts to advise on these things, not some random blogger or the media. If you found a weakness with it, maybe take it up with people who study security for a living, not try to convince the developers who use BitBucket as a service.

  109. egor homakov

    it's not on the same machine, and on a mobile device which to date is more secure/less targeted than your typical PC

    Right

    To partially address this, some providers do not allow two logins with the same token -- you must wait and use the next generated token

    What's second login for? I do things with man in the browser, right in your context.

    They would need to brute the password, and MULTIPLE different token sequences, and then reverse the shared key that generated these sequences

    In simple pw scheme bruting that password shouldn't take much time. Complex pw alone is not bruteforceable at all. Why MULTIPLE? 1 time is usually enough. Or 2. Still very easy to brute.

    I trust the security experts to advise on these things, not some random blogger or the media.

    If you'd click some links on sakurity.com you might think i am a security expert too :) Unless it was an insult attempt.

    P.S. let's continute chat about it over email, twitter or comments, not here :)

  110. Chris Reid

    Can we please move the discussion on how secure 2FA is out of this issue?

    If you don't want to use 2FA then don't use it, no one is forcing you. For the rest of us who want to use 2FA, we are posting in this thread to add support.

    I'm sure if/when bitbucket decides to add support for 2FA, it will be optional so if you don't want to use it, don't enable it.

    Please respect the inboxes of your fellow developers. Thankyou.

  111. JM

    Ike DeLorenzo it has been over a month since you promised to keep us updated regarding this issue on the BitBucket blog AND this thread. So far we have heard nothing further regarding this issue.

    I also asked you after you last replied to give us some sort of time table we can reliably count on to have this feature (4 years in the making) finally rolled out. I am not asking for an exact date, but something on the order of: 1 month, 6 months, just give up this is never coming would be immensely helpful for those of us who need this feature to be able to hold Atlasssian accountable for this feature on a reasonable (4 years late) time scale.

    Thanks again. I look forward to your response.

    ps. +1 if you need this feature. The last time we hit this thread with +1 was the first time we got an official response in ages. This needs to happen.

  112. Samurai Ken

    I stay subscribed here sort of as a morbid curiosity. I have long since moved my public code back to Github and my private stuff to Visual Studio Online (which has a "plain" git variant available, no windows tools needed).

    I keep this link around for any time a client asks if we should use the Atlassian tools and what I think of the firms ability to remain competitive.

  113. The Digital Orchard

    I've heard from a little birdie that Atlassian is very much committed to bringing 2FA to Bitbucket and is working hard towards that end. However, since they have a much larger infrastructure than Bitbucket itself, this is taking some time and a full implementation is still a few months away. From what I understand, they will be providing an official update for the users here very soon, so remain patient.

    The long delays have not been ideal, but the world is not as simple as we'd all like, now is it? :)

  114. Keith Morrow

    We're heard that over and over and over again. It's been many years now, and I think that's been stated at least 3 or 4 times. Either the deadlines are missed, the official updates are meaningless, or there's just nothing altogether. I'm basically staying subscribed to this for the same reason as Samurai Ken - as a morbid curiosity, despite having moved my repositories elsewhere. It's a shame that it's taken this long, even for something that might be somewhat complicated.

  115. Berkeley Churchill

    Yes, they said this. They also said that, had they known how long it would take, they would have implemented 2FA for just Bitbucket before Atlassian wide. I still think they'd be smart to prioritize Bitbucket now and worry about total integration later. I'd consider this cutting losses.

    To me, this looks like poor project management -- rolling out smaller pieces over time is almost always easier than doing it all at once; and, in this case, they'd keep their customers happier too.

  116. Martin Bravenboer

    I have very low confidence in Atlassian product management and their understanding of the needs of enterprise accounts. Even once we finally get 2FA support, allowing users to optionally enable 2FA authentication does nothing at all in an enterprise setting. You need enforcement, otherwise there will always be users who do not care and do not enable it anyway. Therefore, it is critical that accounts can require team members to have 2FA authentication enabled, and require SSH for command-line access to repositories. The issue I filed for this was closed https://bitbucket.org/site/master/issues/8493/allow-accounts-to-configure-authentication as won't fix.

  117. alex paulson

    So staff are quick to close duplicates of this issue, it is one of the highest voted issues here and yet nothing happens.

    Once in a blue moon we get a promise that it will come soon as part of some other update, and that we will all be kept informed.

    So far those updates come and go and we're non the wiser on when/if Atlassian will approach this.

    My account is only open because my employer currently uses Bitbucket, I will be removing my personal repos from Bitbucket and discussing with my employer an alternative solution where security is taken seriously.

  118. Alex Hempel

    Please add two-factor authentication. This request has been open for three years and nothing has happened. TFA is essential these days as passwords just aren't good enough any more.

  119. Dan Bennett staff

    A quick update from Bitbucket engineering:

    An earlier, Bitbucket-only, multi-factor / two-step authentication implementation is being defrosted and readied for production release ahead of the launch of Atlassian SSO service. The ETA is currently less than six weeks and if the feature is not released by September 30th I will return to explain precisely why we failed to deliver (though, it is unlikely that I will have to do so).

    Note: this will not be the final implementation and, as stated in comments above, there will be an Atlassian-wide two-step process rolled out that will supplant our version and provide expanded capabilities. This implementation will only serve to bridge the gap.

    Thanks,

    Dan Bennett, Bitbucket Development Manager

  120. Jonas Thyregod

    Hi Dan, that sounds great. Thumbs up for that! :-)

    Does the solution also include some extra password strength - currently bitbucket allow single word passwords like "x" which is just too unsecure. Also a way to force or monitor (through the api?) that team members are using 2fa will much appreciated :-)

    Kind regards Jonas Thyregod

  121. Dan Bennett staff

    Jonas Thyregod

    • We actually do require a minimum password length of 8 characters these days.
    • Forcing is a challenge as you do not own the accounts of your team members; they do. An API to check 2fa status might be interesting -- but certainly not planned for the initial release. Post launch I'm sure we'll get lots of good suggestions for improvement that we'll have to consider.

    Jason Kanaris

    • Wrong Dan but close enough. :)

    Belai Beshah

    • Though I am sorry to hear that Belai, I wish you success with whichever tools you find best suit your needs.

    Thanks,

    Dan

  122. George Mauer

    Thank you Dan for the update. This is great to hear.

    For future reference, this is the sort of attention that this thread needed long ago. Developers can understand missed deadlines, overwrought specs, and architecture astronautics, its much more difficult however to abide a promise followed by complete radio silence. Not so much the lack of SSO, but the lack of transparency is what has forced me to warn many others about Atlassian and Bitbucket (and I'm a huge hg fanboy) over the last few years.

    That being said, I certainly applaud you for what seems to be a first step to remedy both the lack of communication and the actual technical issue. Thank you very much.

  123. Ben McCann

    A small UI indicator on the teams page or user group page showing who has it turned on would be greatly appreciated. Being able to report on it is definitely a requirement if there's no way to enforce it.

  124. Brian Rozmierski

    Really, if we can't "enforce" it on the user level and make them use 2FA, can we at least mark the team/repo "2FA Required" so that even if they are on the team/repo they can't access it w/o enabling 2FA?

  125. Dan Bennett staff

    George Mauer

    • I don't envy the product managers' position. Trying to provide any sort of update for a project that has upstream dependencies with soft dates has to be tough. It's easy for me because I'm engineering and I can say, "Yep, we're doing this right now." That said, I agree that some hard facts could have helped out earlier even if it were to say that things aren't going as planned.

    Ben McCann

    • That was my thought at first as well but some may not like exposing that information. E.g., imagine a hypothetical bad actor inviting users to their team only to see which users have 2FA enabled. I'm not sure what they'd do with that information but information leaks are still information leaks. Issue #11711 created to consider this further.

    Brian Rozmierski

    • I think this is reasonably achievable technically but we'll have to be careful with the user experience. We don't want to be in a situation where a team admin enables a 2FA requirement and two weeks later a repo admin and a user can't figure out why the user can't access a repository. Issue #11712 created to consider this further.
  126. Ben McCann

    Dan Bennett that would require some user action in accepting an invitation from someone they don't know. I don't know why people would accept invitations from people they don't know, but we could clarify that accepting an invitation makes some information available to the team admins. Also, that situation would still be preferable to what we have today. Today you have information about the 2FA status for all users (which is that it's disabled for everyone).

  127. Brian Rozmierski

    Ben McCann Dan Bennett UX and info leaking are sort-of hand in hand here. First I agree w/ Ben, a developer accepting invitations blindly would be a bad thing. Not having seen the invite message as a recipient in a while, perhaps a bit of a note or even, gasp, a warning, that joining the team allows the team admins to see... x, y, z... one of those being 2FA status if the repo requires it.

    I think we, as a community, need to begin to accept that 2FA/MFA (be it TOTP, U2F, fingerprint, facial recognition, giving up first born) is gaining traction, fast, as a must have requirement, and that the UX on a site like Bitbucket should be moving in the same direction. Personally, I see a time fast approaching that treats non-2FA accounts like they were using IE6. (Take your pick of bad connotation there, they all work.)

  128. JM

    Dan Bennett First of all, thank you very much for not only updating us all on this issue, but also providing a time line for this feature and assurances that we will soon have a version of 2FA that we can use to protect our intellectual property stored on BB.

    Secondly, thank you for being interactive and responding to the questions and concerns of users who have posted their thoughts since your initial response on this issue promising a solution by 9/30 at the latest.

    Finally, just a general thank you to you and the whole Atlassian team for BB and all the of the products you provide. This issue has been a particularly painful one for many of us, both in terms of time to implementation and long periods of being out of the loop and unable to get feedback from you all, but now it appears we are nearing the end of this journey and we can all put the mistakes of the past behind us and focus on things that need attention going forward.

    Thanks again, and I look forward to being able to use your first-gen 2FA implementation in the coming couple of weeks.

    +1

  129. Marcus Bertrand [Atlassian] staff

    Hi all,

    A quick update. As you may expect, enabling two-factor authentication will disable all https access using basic authentication. This means that not only will you need to use SSH for Git and Mercurial; any applications which use basic auth with our API will be impacted as well. Currently, this includes the two SourceTree client's (Windows/OSX) ability to get a repository list through the Bitbucket API.

    Our recommendation to all application developers is to use OAuth to access our API whenever possible. But we know that many consumers of our APIs may not have the bandwidth to update their applications in the near term.

    To handle this potential issue, we've created Issue #11774 for Application specific passwords. We will not be delivering this feature at the same time as two-factor auth, but we aim to deliver it very shortly after.

    Cheers,
    Marcus and the Bitbucket Team

  130. John Slee

    Not sure what app-specific passwords would add to BitBucket, really. Proper disposable API keys with varying degrees of privilege would be fantastic, though. Right now there seems to be just one API key per team, with full admin privileges. A bit limiting.

  131. alexrinass

    From a third-party app developer perspective, it would be nice to provide Two-Factor API support on top of OAuth.

    At the moment, it is not possible to retrieve access tokens with the “Password“ grant type once Two-Factor is enabled for an account:

    {"error_description": "Cannot use password grant for accounts with two step verification enabled.", "error": "invalid_request"}

    Other services provide support for sending the OTP along with the request data, e.g. in the HTTP headers.

    What are the plans regarding this?

  132. unusualbob

    It appears that something is wrong. I have tried both scanning the QR and manually entering the 2 factor key into google authenticator, but bitbucket rejects the code presented as an "Invalid two-step verification code". I'm using 2 factor on 10+ accounts and have had no problems there, so I suspect that something is bugged on your side.

  133. Marcus Bertrand [Atlassian] staff

    Hi unusualbob

    Double check that your phone's clock is synchronized. We don't allow as much wiggle room for inaccurate clocks as some others (like Google). While this puts us closer to the spec, it can certainly cause some unusual troubles for different users. The most common case we hear of is that iPhone clocks with some cell providers tend to be > 30 seconds fast. If that is the case for you, we'd reject your code consistently as it would be outside of our allowable time steps.

    We're listening and evaluating all feedback from users to decide if we should adjust our allowances. If you'd like more private help, or you don't think that's the issue for you, come to support@bitbucket.org so we can help you further.

    --Marcus

  134. erooM025

    Can I authenticate with other SAML providers with the on premise version Like Azure AD? We’re looking to run strictly over HTTPS with a more secure authentication. I also need to provide authentication to people that are not employees and because of contract I prefer not to have VPN as a requirement. We already own the on premise server but our scope has changed so perhaps you could tell me if there is an cost effective means to move to cloud by converting licenses?

    James D. Moore Enterprise Architect [email signoff] United States Golf Association P.O. Box 708, 77 Liberty Corner Road Far Hills, NJ 07931 (908) 326-1839 www.usga.org

    This email may contain confidential or privileged information. If you are not the intended recipient, please delete it without disclosing it to anyone and notify us immediately.

  135. Log in to comment