Addressed with Crowd 6.2.0.

Any update on this? Disabling MFA in Entra ID is not an option these days. Are there any workaround to use Entra ID with enforced MFA?

Hello Team Atlassian Crowd,

what is the current status of implementing 2FA in Crowd?
Did the topic make it onto your roadmap? If so, when can we expect this feature?
We also need to plan and would like to include this in our roadmap as well..

Hi all,

Thank you so much for your votes and comments on this feature.

We are doing further research on this topic and would love to invite you to take part in an upcoming customer research study! We're looking to speak to Crowd's administrators about the authentication security requirements.

What’s involved in the research:

• Sessions are [1 hour] and conducted over video conference, so you can participate from anywhere around the globe.

• During the research, we'll start with a general chat to get to know you. Then we would like to discuss what authentication methods you use and how you've set them up for Atlassian Data Center products.

• As a token of our appreciation, you'll receive an e-gift card worth $100 USD within 5 business days of completing your session.

Interested in taking part? Follow this link https://www.userinterviews.com/projects/shUftr4lEw/apply to fill in a few more details so we can make sure you’re a good fit.

If you have any other questions at all, feel free to reply to this message or email me directly on mmiodek@atlassian.com. We look forward to meeting you!

Cheers,

Mateusz Miodek

Product Manager, Atlassian DC User Management Team

https://getsupport.atlassian.com/browse/PSSRV-53290

Hi Atlassian,

I am slightly confused here

We are looking to implement Crowd DC on AWS and link it to Azure AD which already has 2FA in place.

Your instructions here https://confluence.atlassian.com/crowd/configuring-azure-active-directory-935372375.html say 

• Crowd doesn't support multi-factor authentication. You'll need to disable it for your users in Azure AD, or they will not be able to log in to Crowd or any integrated applications. 

So essentially your are saying that to integrate Crowd to Azure AD I need to ask my Organisations InfoSec team to turn of 2FA for Azure AD  - which i am sure is not going to happen.

Am i missing something here ? 

Very disappointed at the lack of attention.  If you say you are going to provide an update, you should do so.  On time.

502 votes, 323 watchers. A promise for an update in 2021 Q2. I still come back and look at this ticket regularly.

We agree, Atlassian not offering the regular on-premise server is impractical, to say at least. But, there is an option to secure the Datacenter setup.
You can secure your Crowd and all connected services with the SecSign ID on-premise server. 2FA can be implemented with the SecSign ID 2FA iOS, Android and Desktop apps, FIDO, Mail OTP or hardware token. You can also integrate the 2FA directly with the individual services, for example Confluence. With the SecSign ID solution you have the best flexibility and the best security all with one solution. Plus, you keep control over your authentication data. Send us a message at sales@secsign.com for any questions. Cheers!

Meanwhile Q2 of 2021 has passed and nothing new has happened. This does not give me much confidence in the declaration of Atlassian that they will continue investing in their data-center products (or at least not in Crowd). This request has been open since 2007 and no action has been taken on this except asking for our patience. 

With teams being working from home due to covid restrictions it seems that Atlassian is not longer interested in providing a secure solution to its customers who cannot move to Cloud due to all kinds of restrictions... 

We use Jira/Confluence/Crucible and thinking about adding other products as well. Crowd is essential to us. 

We must use Jira Server to be HIPAA compliant (there is no BAA in place as of today for the Cloud or the Data Center), and Jira Sever is supported till 2024, so we will stay till then.

We are also an open source community, and under the agreement with Atlassian our Jira has to be on a public server. So how else can we protect ourselves?!

I would think that it is still relevant as datacenter will continue.

We integrated Jira/Confluence Server with Keycloak using SAML instead.

Given that Jira/Confluence Server are being discontinued won't Crowd become irrelevant?

I emailed marek back when they wanted beta testers. No response :/ — Guess they are no longer with ATL now

The email to Marek is undeliverable. He mentions they decided to add the feature to the road map. Does anyone know where are we at with it? Is there a different product manager e can contact in regard to this issue?

This needs to be a built in feature and it should have been available a long time ago.
We will soon look at other alternatives for Crowd.

This is also an area we are looking to move towards and ideally would prefer it built in

Atlassian,

Is there an update on progress being made to include 2FA into CROWD? This suggestion is 12 years old, and in 2017 it was "planning to be delivered".

And no, I've looked at plugins and would prefer not to use one. This should be built into Atlassian's user management system.

@Jeff Zarnett

Why exactly did you find it wanting?  Out of curiosity, the tool from my perspective seems to hit the mark.  I am curious what you found lacking?

Hi Jeff, thank you for your feedback! We totally get it, that’s why we offer Email OTP and seamless integration in existing company apps as well.
Did you have any issues with the plugin, or did you miss any features? You're welcome to leave us some feedback here or at support@secsign.com. We value your opinion and we implement customers ideas regularly.
We're constantly improving and updating our plugin and the newest release is set for later this month. We've added a lot of additional features just this last year, including user self-activation for 2FA. Integrating a 2FA for Crowd can be a bit confusing because there are so many different operational scenarios, so let us know if you have trouble finding a setting or you're having issues with the integration.

In our case we have evaluated the SecSign plugin and found it to be rather wanting. It's also not that easy to convince customers to install yet another thing. This feature really needs to be natively supported in Crowd.  But as this ticket is going to turn 12 years old in a month and it hasn't been even planned into the roadmap, maybe we should conclude it's never happening and we'll have to choose a different product. 

Have a look at the SecSign ID 2FA plugin to secure your Crowd (and other Atlassian services). We are the first provider that offers full-stack security with 2FA, SAML integration, Crowd 2.0 support, full on-premise or cloud solutions, mobile and desktop applications, and all without inconvenient OTPs. You can download the plugin here for free.

Now, we are starting the work on improved SSO (easier to configure and cross-domain) and SAML support in Crowd. We can not share yet with you anytime lines but we are aiming to deliver it in one our our next releases.

Ten months later, improved sso was delivered in version 3.5. Still no SAML support.

We will be aiming to enable integration with any SAML based IdP.

Judging from the comments on CWD-1822, it looks like this has been put on the back burner again.

We've just released 2FA plugin for Crowd: https://marketplace.atlassian.com/apps/1220849/2fa-for-crowd-u2f-totp?hosting=server&tab=overview

Feel free to use it while awaiting for Crowd native implementation.

We are also a huge DUO shop. Is the recommendation to stay away from Crowd/Jira/Confluence until this is implemented? It sounds kind of dumb that we can independently 2fa into the key Atlassian apps but we can't use the SSO with 2fa in its current form. 

For the people that use DUO, are you all still happy with the hacked solution or was it a waste of time? We are just looking for a solution that would allow sessions to cross between applications without reauthentication into each app.

Marek - Any ETA on this? 

Go2Gorup supports 2 factor authentication 2FA for Crowd.

We have packaged solutions for US Government’s CAC and PIV cards that are certified by DoD.

RSA solution as well. 

See:  https://www.go2group.com/security/

@Marek, are you saying that this is going to be added to Crowd Server or will it be only for the Datacenter edition? If the former, when?

Hi charlie.misonne what do you mean exactly? We are considering adding 2FA in Crowd.

Hi Marek.

What do we tell customers looking at your competitors for solutions that do support 2FA natively?

The underlying answer is the same that for Delegated Group Admin
Atlassian is using this difference on functionalities to make you switch to DataCenter which is a subscription with constant yearly price (and prevent you to use your application if you stop to subscribe.)

I think you should open an improvement request like the one I did for requesting Delegated Group admin to be available in Server Version (see CWD-5251)
But seeing as it is coded and linked to the license, there is no way Atlassian can easily rollback this.

What must be understood by everyone here is that Atlassian is now a traded Nasdaq company, they have shareholders, they have business goals, etc...
Subscriptions are allowing Atlassian to have constant incomes every year where a perpetual server license is more hazardous as the yearly maintenance is 50% of the purchase price and you can stop the software maintenance and still use the product if you don't need/plan to upgrade it.

So that said, Atlassian wants you to buy DataCenter subscription and they will find any gentle way to force you.

"It's not personal, it's just business...."

My question is the same as Sandor's. And: What is the motivation on excluding this feature from Crowd server?

So, not available for Crowd server? That would mean no 2FA for under 4500 USD?

sandor-krisztian.andre117904017 this will be available through Crowd Data Center across any Server and Data Center Atlassian products connected to Crowd Data Center. We will be aiming to enable integration with any SAML based IdP.

@Marek that makes a lot of sense. Does that mean that we'll be able to user our Azure AD IdP also for 2FA users? Will this be available for Crowd server version?

Thank you again for your interest in 2FA in Crowd. I wanted to update you that we are going to provide SAML support in Crowd so that you can connect your whole Atlassian self-hosted suite through Crowd Data Center to any SAML based IDP. 
 
This way any 2FA or MFA solution from existing identity providers can be used through Crowd. We have decided not to implement our own native 2FA solution as we have learned that there are many customers using existing 2FA or MFA solution that they would like to use also for their Atlassian suite.
 
We have recently finished the work on Delegated group level admin in Crowd and it is now available in Crowd 3.3 EAP
 
Now, we are starting the work on improved SSO (easier to configure and cross-domain) and SAML support in Crowd. We can not share yet with you anytime lines but we are aiming to deliver it in one our our next releases.
 

🙄

this was added to the Roadmap nearly a year ago, any updates?

Will there be potential integration to use google's Authenticator app for crowd SSO? It makes a lot more sense to use Authenticator for 2FA of our Atlassian products as we already use it for our Google and Amazon 2FA process.

@Charlie Misonne

As I mentioned we are offering a two factor add-on for Atlassian Crowd:

https://marketplace.atlassian.com/plugins/com.secsign.secsign-crowd/server/overview

Within the next days we will publish updates for all our add-ons. Besides a redesign the new versions can read and write custom attributes from an Active Directory to have a deeper integration of your user management system with your crowd and jira/confluence instances to provide a two factor authentication.

If you like to have more information don't hesitate to contact us at info@secsign.com

Cheers

Titus

Any timeline for this feature?

Is there a plan to enable support for MFA O365 "microsoft identity service"?

What is the ETA/release target for this feature?

The SecSign 2FA add-on for Atlassian Cfrowd can be found at https://marketplace.atlassian.com/plugins/com.secsign.secsign-crowd/server/overview

More information about installation and login procedure can be found at https://www.secsign.com/developers/atlassian/crowd-2-factor-authentication-tutorial/

Marek, is there any ETA?

Would be great if this supports both OTP (e.g. Google Authenticator) as well as FIDO U2F (yubikey and others:  https://www.yubico.com/products/yubikey-hardware/yubikey4/ )

@Bryan Bai 

SecSign ID offers 2FA for Crowd, JIRA, Confluence and a great number of other services. With the on-premise setup no information ever leaves your premise, unlike with other solutions. That way you don’t have to worry about information or credential being intercepted by hackers. What is the road block in your scenario?
The SecSign ID authentication is different in that it doesn’t need token, codes or similar. With the PKI-based authentication only a simple touch login is required, while complex cryptographic mechanisms protect the user in the background. More information on the procedure can be found here www.secsign.com
Let me know if you have any questions!

is this crowd 2FA feature will cover all downstream server ? like jira/conflunece/ Bitbucket ? which means I must implement SSO first ? currently 2FA is a road blocker for put our on-premise JIRA/confluence as internet facing instance. 

we are evaluating 3rd party 2FA solution with JIRA and confluence and glad to trial the one with CROWD if possible.

@Marek Radochonski Our organization would love an invite to trial 2FA features for crowd! Specifically, we use DUO Security for our 2FA service and would be amazing to see that integrated with crowd so that we could secure any application using crowd authentication.

mlalpho at clemson dot edu

Good News !

I hope this functionnality could be activated per user directory

 james.chao1593775980 we can not share yet any ETA for this feature however I can confirm that it is on our roadmap as per recent update of the issue. As we will be closer to the early phase of building it we will share with you more details and we will be looking forward to invite you and anyone who would be interested into early validation of our proposed solution to make sure that we are building something that address your needs.

matthew.hutton1332407139 as per recent update of this issue we have decided to put this feature on our roadmap. This feature is not available yet and is not in beta however we will let you as soon as it will be.

what kind of 2FA? will Government CAC auth be supported? is there any kind of ETA?

This feature is currently in beta .

2FA, or not 2FA, that is the question:
Whether 'tis nobler the admin who suffers
The slips and mishaps of outrageous misfortune,
Or to take Arms against a Sea of tickets,
And by opposing close them: to dev, to fix
No more; and by a fix, to say we end
the heart-ache, the thousand natural 'sploits
that Users are heir to? 'Tis a resolution
devoutly to be wished.

I simply cannot believe that a web facing product has so little security available for it.  This is starting to give me cause for alarm.

We were looking into migrating to on-premise or another solution purely because of this issue. Now that SAML SSO is coming however I think we should be able to hook it up to our own identity provider killing two birds with one stone - one less password for users to remember and MFA.

to celebrate the 10 year ignored feature request?

come on Atlassian.. Can you at least respond to all these paying users?

Let's meet up at the 13th of December, 6PM CET here: 

appear.in/crowd-adecadewithout2fa

Any danger of this ever getting implemented? 

almost 10 years since this feature request.

This is crucial for some of our customers. Atlassian, can you please evaluate this need again?

Atlassian, please add 2FA to your On-Demand instance. Please

Correct - similar to Google 2FA. Or if we could do SSO with Google - that would work to. 

I think this request is for 2FA using the time-based  one-time password algorithm — as you have implemented in Bitbucket Cloud.

https://confluence.atlassian.com/bitbucket/two-step-verification-777023203.html

Hi Petter,

Can you describe the type of TFA you are looking for?  

TFA with RSA is already supported.  

Also supported are government and NATO CAC/PIV cards and other variants thereof.  

Hi - all products with sensitive data should support 2FA. For us - this is a crucial feature. We will have to move away from JIRA if you don't add this in a near future. 

Kind regards

// Petter

Can some one from Atlassian please provide update on this request?

Can someone from the Atlassian team please confirm whether 2FA will be rolling out with Atlassian Account later this month, or is this feature still not implemented?

I have a number of key stakeholders who are now pushing for this. Sounds like Atlassian is letting the marketplace sort this out?

Thanks for the updates, what I was trying to say is we have CROWD providing authentication for these devices today in the BACK END. But if we can tie the FRONT END of CROWD authentication to CAC, and leave the BACK END of CROWD authenticating for these other apps. Then we do not need these other applications to be individually worked on with code changes.

Can you provide a solution like that?

Hi James!

We did research on this issue. The issue is not with our CAC/PIV solution, it is lower than that. Even Atlassian SSO is not the issue. We can solve al of this form our side and Atlassian's side.

From what we checked, tools like Jama or SonarQube do not offer a plugin architecture for authentication. Nor does it provide the source code to let us modify the authentication part. And that is a blocker for this to happen. It has nothing to do with Atlassian or Go2Group.

We have implemented many CAC/PIV integrations for other SW products beyond the Atlassian family using Crowd/our CAC/PIV/RSA solutions.

If you can bring these other vendors (such as SonarQube and Jama) to the table with us to solve this, we can do it.

Cheers!
Go2Group

Hi James!

We are looking into this right now. It may be possible.

How about reaching out to us with this request so we can work on it to your requirements. Ping us at
support at go2group.com

We need a CROWD-CAC solution different from the Go2Group solution. Because that solution only works for 1 application at a time. We need a solution that ties CROWD to CAC directly, so that other applications (Atlassian and non-Atlassian like FECRU, Jama, static code analysis) syncing with CROWD authenticate through CAC as well.

Go2Group has 2FA solutions for CAC PIV and RSA.
See: https://www.go2group.com/security/

Approved by DoD Certificate of Networthiness (CON).

This feature (or lack there of) is now one of the reasons we are looking elsewhere for our documentation platform as well. I can understand however how 250 seats might not be a big customer for atlassian. Hopefully this comment goes towards persuading Atlassian to look at this feature as an absolute must requirement in this day and age. Thanks. For anyone wanting to spend some money to solve this problem. [Duo Security] have a really good plugin to offer MFA.