Summary

Currently, when the external user security policy requires one-time passcodes (OTP), users are always asked to enter an email OTP even if they already have two-factor authentication (2FA) enabled. Customers request the ability for 2FA-enabled users to authenticate using only 2FA, with email OTP used solely as a fallback for users without 2FA.

Description

Atlassian Cloud’s current behavior applies email OTP universally when the external user security policy has OTP enabled. This means external users who have already enabled 2FA are forced to provide both their 2FA app code and an email OTP during login. Customers find this workflow redundant and unnecessarily burdensome, especially since 2FA is already a stronger authentication factor.

Suggested features

• Allow admins to configure external user security policy such that:
  • If a user has 2FA enabled, only 2FA is required.
  • If a user does not have 2FA enabled, enforce ID/password + email OTP.
• Make email OTP act as a true backup method, not an additional mandatory step for 2FA-enabled users.

Expected outcome

Admins can enforce stricter security while providing a smoother user experience:

• External users with 2FA enabled will only need to complete 2FA.
• External users without 2FA will still be protected through email OTP.
• This balances security and usability, reduces login friction for 2FA-enabled guests, and supports organizations that want to encourage but not overly complicate MFA adoption.