• Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Firefox doesn't have U2F security key functionality built in but there is an addon that can enable it. It would be nice if logging into Bitbucket detected whether or not U2F is available and not just if the browser is Chrome/Chromium

            [BCLOUD-13013] Bitbucket does not detect U2F on Firefox

            Issue BCLOUD-16402 was marked as a duplicate of this issue.

            Alastair Wilkes added a comment - Issue BCLOUD-16402 was marked as a duplicate of this issue.

            Iain Fogg added a comment -

            Great @markadams-atl and @awbb very impressed with your helpfulness and response on this item - it's working great for me now!

            Iain Fogg added a comment - Great @markadams-atl and @awbb very impressed with your helpfulness and response on this item - it's working great for me now!

            eyoung added a comment -

            Awesome! I am probably more excited than I should be to see this completed. Thanks for making this already awesome platform more awesome.

            eyoung added a comment - Awesome! I am probably more excited than I should be to see this completed. Thanks for making this already awesome platform more awesome.

            Hi everyone,

            We just released some changes to our FIDO U2F implementation and it should now work with any browser that implements the window.u2f API (Firefox 57+) or implements the Chrome U2F plugin (Chrome & Opera).

            Please note, U2F has not been publicly released in Firefox and requires turning on the security.webauth.u2f config flag in about:config in order to take advantage of the functionality. Since this is currently behind a flag in Firefox, you should assume it is beta functionality and you may encounter bugs or other issues that may need to be fixed by the Firefox team.

            Thanks!

            Mark Adams, Sr. Developer, Bitbucket

            Mark Adams (Inactive) added a comment - Hi everyone, We just released some changes to our FIDO U2F implementation and it should now work with any browser that implements the window.u2f API (Firefox 57+) or implements the Chrome U2F plugin (Chrome & Opera). Please note, U2F has not been publicly released in Firefox and requires turning on the security.webauth.u2f config flag in about:config in order to take advantage of the functionality. Since this is currently behind a flag in Firefox, you should assume it is beta functionality and you may encounter bugs or other issues that may need to be fixed by the Firefox team. Thanks! Mark Adams, Sr. Developer, Bitbucket

            You're welcome. Cheers!

            Alastair Wilkes added a comment - You're welcome. Cheers!

            Iain Fogg added a comment -

            Thanks @awbb that's been really helpful. Either it's changed or I totally misremembered/misunderstood it, but I thought that adding the key had removed the TOTP authenticator. Maybe it's because it doesn't show the TOPT info any more, but I'd thought I remembered a warning about it originally.

            Anyhow, it's solved my problem, so thanks for the prompt responses today, and do let me know when you hear back about the status of getting U2F working on Firefox Quantum. Cheers!

            Iain Fogg added a comment - Thanks @awbb that's been really helpful. Either it's changed or I totally misremembered/misunderstood it, but I thought that adding the key had removed the TOTP authenticator. Maybe it's because it doesn't show the TOPT info any more, but I'd thought I remembered a warning about it originally. Anyhow, it's solved my problem, so thanks for the prompt responses today, and do let me know when you hear back about the status of getting U2F working on Firefox Quantum. Cheers!

            I confirmed that you should be able to use both TOTP and U2F together (in fact, you have to - we don't allow U2F only, so you have to set up an authenticator app first).

            Alastair Wilkes added a comment - I confirmed that you should be able to use both TOTP and U2F together (in fact, you have to - we don't allow U2F only, so you have to set up an authenticator app first).

            Ah! I understand.

            That doesn't sound right; I'm 99% sure you should still be able to use Google Authenticator OTP codes as a fallback. Let me look into that - maybe we're doing something silly.

            Alastair Wilkes added a comment - Ah! I understand. That doesn't sound right; I'm 99% sure you should still be able to use Google Authenticator OTP codes as a fallback. Let me look into that - maybe we're doing something silly.

            Iain Fogg added a comment -

            Thanks @awbb

            Re Google Authenticator, what I was referring to is that in the two step verification settings, you can't have both a Yubikey and a Google Authenticator app set up at the same time. Some other sites allow you to have both, and if you don't have the Yubikey (or the site doesn't support it in Firefox), you can fall back to using another 2FA method such as Google Authenticator (or other options). Because BB doesn't allow both, I'm forced to use a one time password whenever I use Firefox for BitBucket (or to turn off the Yubikey option).

            Iain Fogg added a comment - Thanks @awbb Re Google Authenticator, what I was referring to is that in the two step verification settings, you can't have both a Yubikey and a Google Authenticator app set up at the same time. Some other sites allow you to have both, and if you don't have the Yubikey (or the site doesn't support it in Firefox), you can fall back to using another 2FA method such as Google Authenticator (or other options). Because BB doesn't allow both, I'm forced to use a one time password whenever I use Firefox for BitBucket (or to turn off the Yubikey option).

            Hi Iain,

            There were some issues that put this on the back burner; let me check on the status.

            In the meantime, Google Authenticator is supported. You can use any authenticator app, not just Authy. Unless you're referring to something else?

            Alastair Wilkes added a comment - Hi Iain, There were some issues that put this on the back burner; let me check on the status. In the meantime, Google Authenticator is supported. You can use any authenticator app, not just Authy. Unless you're referring to something else?

              madams@atlassian.com Mark Adams (Inactive)
              rrudnicki Renato Rudnicki (Inactive)
              Votes:
              3 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: