Support for Two-Factor authentication using Yubikey OTP token (BB-7829)

Issue #6680 closed
Martijn van der Kleijn
created an issue

Hi there,

I would like to request you to support two-factory authentication. Specifically, the yubikey device. This request is similar but not equal to #5811.

The yubikey is a very nice, easy to use, affordable and secure OTP system that will allow you to easily integrate it into your own system.

For details:

They have many ways to integrate, but in your case using the Web API is probably easiest. They (Yubico) already provide code to make things easier.

For details:

Disclaimer: I'm not involved in anyway with Yubico.

Comments (31)

  1. Martijn van der Kleijn reporter

    I agree, that's why I requested it. :) Also, it should be fairly easy to implement.

    (I'm making the assumption here that you're using Crowd as the authentication backend which is fairly pluggable)

  2. Christoffer Aasted

    I second the YubiKey :) It's a very nice device once you get used to it's touch-button !

    Also - it's one of those devices that have wide adoption in open-source communities, and many programming libraries available.

  3. Pavel Šlechta

    I think U2F is also a good option. Yubikey already supports U2F out of the box. Google fully supports it, GitHub too. But there is also a drawback, it usually works on web only.

    Anyway OTP or U2F is better than some smartphone app because the key cannot be (without cutting the chip under microscope) extracted from yubikey.

  4. Gerhard Poul

    @Tom Rini just keep in mind, that YubiKey natively only supports one HOTP token and doesn't support TOTP natively without an application on the host. That's a real limiation. With U2F the token can support an unlimited number of web applications for authentication, not just one.

  5. Daniel Sokolowski

    Hey Bitbucket Team, I am sure you are working hard but wanted to emphasize the importance of this. Lack of Yubikey support (and lack of repo search) are the main points against Bitbucket vs Github.

  6. Alastair Wilkes staff

    Hi everyone! Although this issue was originally about OTP keys, there's also been some discussion about U2F, so I'm posting this here too:

    FIDO U2F security keys are now supported in Bitbucket. Visit two-step verification settings to add your key. If you do not already have two-step verification enabled, you’ll need to enable it before you can use your U2F key with Bitbucket.

    If you have any questions or issues, please comment on issue #12246. We’ll update the 2SV documentation in the next few days to include this feature. Thanks!

  7. Gerhard Poul

    Awesome! It's great that this is getting traction. I really don't like the app-codes, but I really like these affordable security tokens. Just a little strange that there wasn't some larger announcement... everyone else adding support for YubiKey gets featured on the Yubico blog... have you told them? :)

    btw: I added my key and activated 2-factor-auth

  8. Log in to comment