Hi all,

Thank you so much for your votes and comments on this feature.

We are doing further research on this topic and would love to invite you to take part in an upcoming customer research study! We're looking to speak to Crowd's administrators about the authentication security requirements.

What’s involved in the research:

• Sessions are [1 hour] and conducted over video conference, so you can participate from anywhere around the globe.

• During the research, we'll start with a general chat to get to know you. Then we would like to discuss what authentication methods you use and how you've set them up for Atlassian Data Center products.

• As a token of our appreciation, you'll receive an e-gift card worth $100 USD within 5 business days of completing your session.

Interested in taking part? Follow this link https://www.userinterviews.com/projects/shUftr4lEw/apply to fill in a few more details so we can make sure you’re a good fit.

If you have any other questions at all, feel free to reply to this message or email me directly on mmiodek@atlassian.com. We look forward to meeting you!

Cheers,

Mateusz Miodek

Product Manager, Atlassian DC User Management Team

https://getsupport.atlassian.com/browse/PSSRV-53290

Hi Atlassian,

I am slightly confused here

We are looking to implement Crowd DC on AWS and link it to Azure AD which already has 2FA in place.

Your instructions here https://confluence.atlassian.com/crowd/configuring-azure-active-directory-935372375.html say 

• Crowd doesn't support multi-factor authentication. You'll need to disable it for your users in Azure AD, or they will not be able to log in to Crowd or any integrated applications. 

So essentially your are saying that to integrate Crowd to Azure AD I need to ask my Organisations InfoSec team to turn of 2FA for Azure AD  - which i am sure is not going to happen.

Am i missing something here ? 

Very disappointed at the lack of attention.  If you say you are going to provide an update, you should do so.  On time.

502 votes, 323 watchers. A promise for an update in 2021 Q2. I still come back and look at this ticket regularly.

We agree, Atlassian not offering the regular on-premise server is impractical, to say at least. But, there is an option to secure the Datacenter setup.
You can secure your Crowd and all connected services with the SecSign ID on-premise server. 2FA can be implemented with the SecSign ID 2FA iOS, Android and Desktop apps, FIDO, Mail OTP or hardware token. You can also integrate the 2FA directly with the individual services, for example Confluence. With the SecSign ID solution you have the best flexibility and the best security all with one solution. Plus, you keep control over your authentication data. Send us a message at sales@secsign.com for any questions. Cheers!

Meanwhile Q2 of 2021 has passed and nothing new has happened. This does not give me much confidence in the declaration of Atlassian that they will continue investing in their data-center products (or at least not in Crowd). This request has been open since 2007 and no action has been taken on this except asking for our patience. 

With teams being working from home due to covid restrictions it seems that Atlassian is not longer interested in providing a secure solution to its customers who cannot move to Cloud due to all kinds of restrictions... 

We use Jira/Confluence/Crucible and thinking about adding other products as well. Crowd is essential to us. 

We must use Jira Server to be HIPAA compliant (there is no BAA in place as of today for the Cloud or the Data Center), and Jira Sever is supported till 2024, so we will stay till then.

We are also an open source community, and under the agreement with Atlassian our Jira has to be on a public server. So how else can we protect ourselves?!

I would think that it is still relevant as datacenter will continue.

We integrated Jira/Confluence Server with Keycloak using SAML instead.

Given that Jira/Confluence Server are being discontinued won't Crowd become irrelevant?

I emailed marek back when they wanted beta testers. No response :/ — Guess they are no longer with ATL now

The email to Marek is undeliverable. He mentions they decided to add the feature to the road map. Does anyone know where are we at with it? Is there a different product manager e can contact in regard to this issue?

This needs to be a built in feature and it should have been available a long time ago.
We will soon look at other alternatives for Crowd.

This is also an area we are looking to move towards and ideally would prefer it built in

Atlassian,

Is there an update on progress being made to include 2FA into CROWD? This suggestion is 12 years old, and in 2017 it was "planning to be delivered".

And no, I've looked at plugins and would prefer not to use one. This should be built into Atlassian's user management system.

@Jeff Zarnett

Why exactly did you find it wanting?  Out of curiosity, the tool from my perspective seems to hit the mark.  I am curious what you found lacking?

Hi Jeff, thank you for your feedback! We totally get it, that’s why we offer Email OTP and seamless integration in existing company apps as well.
Did you have any issues with the plugin, or did you miss any features? You're welcome to leave us some feedback here or at support@secsign.com. We value your opinion and we implement customers ideas regularly.
We're constantly improving and updating our plugin and the newest release is set for later this month. We've added a lot of additional features just this last year, including user self-activation for 2FA. Integrating a 2FA for Crowd can be a bit confusing because there are so many different operational scenarios, so let us know if you have trouble finding a setting or you're having issues with the integration.

In our case we have evaluated the SecSign plugin and found it to be rather wanting. It's also not that easy to convince customers to install yet another thing. This feature really needs to be natively supported in Crowd.  But as this ticket is going to turn 12 years old in a month and it hasn't been even planned into the roadmap, maybe we should conclude it's never happening and we'll have to choose a different product. 

Have a look at the SecSign ID 2FA plugin to secure your Crowd (and other Atlassian services). We are the first provider that offers full-stack security with 2FA, SAML integration, Crowd 2.0 support, full on-premise or cloud solutions, mobile and desktop applications, and all without inconvenient OTPs. You can download the plugin here for free.

Now, we are starting the work on improved SSO (easier to configure and cross-domain) and SAML support in Crowd. We can not share yet with you anytime lines but we are aiming to deliver it in one our our next releases.

Ten months later, improved sso was delivered in version 3.5. Still no SAML support.

We will be aiming to enable integration with any SAML based IdP.

Judging from the comments on CWD-1822, it looks like this has been put on the back burner again.

We've just released 2FA plugin for Crowd: https://marketplace.atlassian.com/apps/1220849/2fa-for-crowd-u2f-totp?hosting=server&tab=overview

Feel free to use it while awaiting for Crowd native implementation.

We are also a huge DUO shop. Is the recommendation to stay away from Crowd/Jira/Confluence until this is implemented? It sounds kind of dumb that we can independently 2fa into the key Atlassian apps but we can't use the SSO with 2fa in its current form. 

For the people that use DUO, are you all still happy with the hacked solution or was it a waste of time? We are just looking for a solution that would allow sessions to cross between applications without reauthentication into each app.

jpadigala I am sorry but I don't have yet ETA for this. It's on our roadmap. We are currently working on new SSO experience in Crowd that will be released in Crowd 3.4 soon. 2FA is one of the next projects on which we will be focusing.

Marek - Any ETA on this? 

Go2Gorup supports 2 factor authentication 2FA for Crowd.

We have packaged solutions for US Government’s CAC and PIV cards that are certified by DoD.

RSA solution as well. 

See:  https://www.go2group.com/security/

@Marek, are you saying that this is going to be added to Crowd Server or will it be only for the Datacenter edition? If the former, when?

Hi charlie.misonne what do you mean exactly? We are considering adding 2FA in Crowd.

Hi Marek.

What do we tell customers looking at your competitors for solutions that do support 2FA natively?

The underlying answer is the same that for Delegated Group Admin
Atlassian is using this difference on functionalities to make you switch to DataCenter which is a subscription with constant yearly price (and prevent you to use your application if you stop to subscribe.)

I think you should open an improvement request like the one I did for requesting Delegated Group admin to be available in Server Version (see CWD-5251)
But seeing as it is coded and linked to the license, there is no way Atlassian can easily rollback this.

What must be understood by everyone here is that Atlassian is now a traded Nasdaq company, they have shareholders, they have business goals, etc...
Subscriptions are allowing Atlassian to have constant incomes every year where a perpetual server license is more hazardous as the yearly maintenance is 50% of the purchase price and you can stop the software maintenance and still use the product if you don't need/plan to upgrade it.

So that said, Atlassian wants you to buy DataCenter subscription and they will find any gentle way to force you.

"It's not personal, it's just business...."

My question is the same as Sandor's. And: What is the motivation on excluding this feature from Crowd server?

So, not available for Crowd server? That would mean no 2FA for under 4500 USD?

sandor-krisztian.andre117904017 this will be available through Crowd Data Center across any Server and Data Center Atlassian products connected to Crowd Data Center. We will be aiming to enable integration with any SAML based IdP.

@Marek that makes a lot of sense. Does that mean that we'll be able to user our Azure AD IdP also for 2FA users? Will this be available for Crowd server version?

Thank you again for your interest in 2FA in Crowd. I wanted to update you that we are going to provide SAML support in Crowd so that you can connect your whole Atlassian self-hosted suite through Crowd Data Center to any SAML based IDP. 
 
This way any 2FA or MFA solution from existing identity providers can be used through Crowd. We have decided not to implement our own native 2FA solution as we have learned that there are many customers using existing 2FA or MFA solution that they would like to use also for their Atlassian suite.
 
We have recently finished the work on Delegated group level admin in Crowd and it is now available in Crowd 3.3 EAP
 
Now, we are starting the work on improved SSO (easier to configure and cross-domain) and SAML support in Crowd. We can not share yet with you anytime lines but we are aiming to deliver it in one our our next releases.
 

🙄

this was added to the Roadmap nearly a year ago, any updates?

Will there be potential integration to use google's Authenticator app for crowd SSO? It makes a lot more sense to use Authenticator for 2FA of our Atlassian products as we already use it for our Google and Amazon 2FA process.

@Charlie Misonne

As I mentioned we are offering a two factor add-on for Atlassian Crowd:

https://marketplace.atlassian.com/plugins/com.secsign.secsign-crowd/server/overview

Within the next days we will publish updates for all our add-ons. Besides a redesign the new versions can read and write custom attributes from an Active Directory to have a deeper integration of your user management system with your crowd and jira/confluence instances to provide a two factor authentication.

If you like to have more information don't hesitate to contact us at info@secsign.com

Cheers

Titus

Any timeline for this feature?

Is there a plan to enable support for MFA O365 "microsoft identity service"?

What is the ETA/release target for this feature?

The SecSign 2FA add-on for Atlassian Cfrowd can be found at https://marketplace.atlassian.com/plugins/com.secsign.secsign-crowd/server/overview

More information about installation and login procedure can be found at https://www.secsign.com/developers/atlassian/crowd-2-factor-authentication-tutorial/

Marek, is there any ETA?

Would be great if this supports both OTP (e.g. Google Authenticator) as well as FIDO U2F (yubikey and others:  https://www.yubico.com/products/yubikey-hardware/yubikey4/ )

@Bryan Bai 

SecSign ID offers 2FA for Crowd, JIRA, Confluence and a great number of other services. With the on-premise setup no information ever leaves your premise, unlike with other solutions. That way you don’t have to worry about information or credential being intercepted by hackers. What is the road block in your scenario?
The SecSign ID authentication is different in that it doesn’t need token, codes or similar. With the PKI-based authentication only a simple touch login is required, while complex cryptographic mechanisms protect the user in the background. More information on the procedure can be found here www.secsign.com
Let me know if you have any questions!

is this crowd 2FA feature will cover all downstream server ? like jira/conflunece/ Bitbucket ? which means I must implement SSO first ? currently 2FA is a road blocker for put our on-premise JIRA/confluence as internet facing instance. 

we are evaluating 3rd party 2FA solution with JIRA and confluence and glad to trial the one with CROWD if possible.

@Marek Radochonski Our organization would love an invite to trial 2FA features for crowd! Specifically, we use DUO Security for our 2FA service and would be amazing to see that integrated with crowd so that we could secure any application using crowd authentication.

mlalpho at clemson dot edu

Good News !

I hope this functionnality could be activated per user directory

 james.chao1593775980 we can not share yet any ETA for this feature however I can confirm that it is on our roadmap as per recent update of the issue. As we will be closer to the early phase of building it we will share with you more details and we will be looking forward to invite you and anyone who would be interested into early validation of our proposed solution to make sure that we are building something that address your needs.

matthew.hutton1332407139 as per recent update of this issue we have decided to put this feature on our roadmap. This feature is not available yet and is not in beta however we will let you as soon as it will be.

what kind of 2FA? will Government CAC auth be supported? is there any kind of ETA?

2FA, or not 2FA, that is the question:
Whether 'tis nobler the admin who suffers
The slips and mishaps of outrageous misfortune,
Or to take Arms against a Sea of tickets,
And by opposing close them: to dev, to fix
No more; and by a fix, to say we end
the heart-ache, the thousand natural 'sploits
that Users are heir to? 'Tis a resolution
devoutly to be wished.

I simply cannot believe that a web facing product has so little security available for it.  This is starting to give me cause for alarm.

We were looking into migrating to on-premise or another solution purely because of this issue. Now that SAML SSO is coming however I think we should be able to hook it up to our own identity provider killing two birds with one stone - one less password for users to remember and MFA.

to celebrate the 10 year ignored feature request?

come on Atlassian.. Can you at least respond to all these paying users?

Let's meet up at the 13th of December, 6PM CET here: 

appear.in/crowd-adecadewithout2fa

Any danger of this ever getting implemented? 

almost 10 years since this feature request.

This is crucial for some of our customers. Atlassian, can you please evaluate this need again?

Atlassian, please add 2FA to your On-Demand instance. Please

Correct - similar to Google 2FA. Or if we could do SSO with Google - that would work to. 

I think this request is for 2FA using the time-based  one-time password algorithm — as you have implemented in Bitbucket Cloud.

https://confluence.atlassian.com/bitbucket/two-step-verification-777023203.html

Hi Petter,

Can you describe the type of TFA you are looking for?  

TFA with RSA is already supported.  

Also supported are government and NATO CAC/PIV cards and other variants thereof.  

Hi - all products with sensitive data should support 2FA. For us - this is a crucial feature. We will have to move away from JIRA if you don't add this in a near future. 

Kind regards

// Petter

Can some one from Atlassian please provide update on this request?

Can someone from the Atlassian team please confirm whether 2FA will be rolling out with Atlassian Account later this month, or is this feature still not implemented?

I have a number of key stakeholders who are now pushing for this. Sounds like Atlassian is letting the marketplace sort this out?

Thanks for the updates, what I was trying to say is we have CROWD providing authentication for these devices today in the BACK END. But if we can tie the FRONT END of CROWD authentication to CAC, and leave the BACK END of CROWD authenticating for these other apps. Then we do not need these other applications to be individually worked on with code changes.

Can you provide a solution like that?

Hi James!

We did research on this issue. The issue is not with our CAC/PIV solution, it is lower than that. Even Atlassian SSO is not the issue. We can solve al of this form our side and Atlassian's side.

From what we checked, tools like Jama or SonarQube do not offer a plugin architecture for authentication. Nor does it provide the source code to let us modify the authentication part. And that is a blocker for this to happen. It has nothing to do with Atlassian or Go2Group.

We have implemented many CAC/PIV integrations for other SW products beyond the Atlassian family using Crowd/our CAC/PIV/RSA solutions.

If you can bring these other vendors (such as SonarQube and Jama) to the table with us to solve this, we can do it.

Cheers!
Go2Group

Hi James!

We are looking into this right now. It may be possible.

How about reaching out to us with this request so we can work on it to your requirements. Ping us at
support at go2group.com

We need a CROWD-CAC solution different from the Go2Group solution. Because that solution only works for 1 application at a time. We need a solution that ties CROWD to CAC directly, so that other applications (Atlassian and non-Atlassian like FECRU, Jama, static code analysis) syncing with CROWD authenticate through CAC as well.

Go2Group has 2FA solutions for CAC PIV and RSA.
See: https://www.go2group.com/security/

Approved by DoD Certificate of Networthiness (CON).

This feature (or lack there of) is now one of the reasons we are looking elsewhere for our documentation platform as well. I can understand however how 250 seats might not be a big customer for atlassian. Hopefully this comment goes towards persuading Atlassian to look at this feature as an absolute must requirement in this day and age. Thanks. For anyone wanting to spend some money to solve this problem. [Duo Security] have a really good plugin to offer MFA.

If any project managers are watching this issue, can you give an update on when 2FA might be coming? I was under the impression that it would be included in the rollout of Atlassian Account in the Cloud. When will this be happening? I echo the statements of others on here in that 2FA is absolutely essential for a service such as this!

Same here.

I have been a strong advocate for Atlassian products in my organization. You are losing us as a customer because our security audit flagged Atlassian as an insecure solution due to its lack of 2FA.

Bummer. The move is going to be painful

@rtan while I appreciate you mentioning that, (You guys didn't appear on the regular 'search' rounds when I was poking around before), It's really a shame there isn't any built-in support for this, on an authentication product that we are already paying for. I'm also pretty surprised this isn't higher on their list. I hope that in the long-term, we don't have to rely on third party plugins for the level of security that should already be present

Go2Gorup supports 2 factor authentication 2FA for Crowd.

We have packaged solutions for US Government’s CAC and PIV cards that are certified by DoD.

RSA solution as well.

See: https://www.go2group.com/security/

I hope this is coming VERY soon. We so need that.

It seems this blocks 2FA support for JIRA OnDemand, so, when is this happening?!

Is Atlassian doing any new features for Crowd?

Having the ability to have 2 factory authentication (preferably with support for using a system like google-authenticator to allow token centralization) is becoming more and more absolutely critical for our organization. We use almost every single atlassian product, we would looooove 2FA on crowd, which could then be used to set 2FA on multiple sources (since crowd is our centralized auth). one token + one password for multiple atlassian products + generic applications? Honestly, I can't imagine anything that should be higher on the priority list, especially with 2FA turning into a huge selling point on many software in a modern world.

anyway, please atlassian, please move this up your list. The current existing plugins (secureLogin for jira/confluence) are broken.

Actually, Matt, the assistant who answered the inquiry assigned it to a product manager, who then told me that Atlassian is working on getting Atlassian ID implemented first, which would allow them to implement 2FA and that 2FA is on the radar, and he openly admitted they haven't been good at communicating the plan.

So, it is coming. Once each cloud product uses Atlassian ID, my understanding is it'll be a more centralized account-level 2FA.

Tom, did you receive any response from the CEOs? I am also in need of a two-factor authentication solution for Jira/Confluence and would prefer to go with a hosted solution.

I emailed their CEOs via the Contact CEOs link, and this is what I said...

------------------

Hi Scott and Mike,

In case you don't already know this, I want to bring to your awareness the perception that Atlassian is not putting security as a top priority.

Atlassian Cloud, while very enticing to use (in fact I'm a customer), does not support two-factor authentication or IP restrictions (functions that do exist in the self-hosted products through add-ons). I think a number of people are only using the cloud because of the potential promise to have these features simply because JIRA tickets are open for these; however, these tickets are now years old (see: https://jira.atlassian.com/browse/CONF-24322 and https://jira.atlassian.com/browse/CLOUD-2636 ) and I can only imagine are now detracting people from using the solution.

While Bitbucket added two-factor authentication recently, issues arose from using it with integrations such as Bamboo. The workaround has been to use Bitbucket repositories in Git mode, which tells me the Git mode is not protected by two-factor. See: https://jira.atlassian.com/browse/BAM-16282

In addition, Bamboo has required root level AWS credentials, and Atlassian has yet to publish an AWS IAM policy that would lock down the ID. Given that my AWS instance is two-factor protected, Bamboo Cloud is not two-factor protected, and Bamboo requires root-level AWS credentials, someone could bypass additional security on my AWS account through a compromised Bamboo Cloud. See: https://jira.atlassian.com/browse/BAM-11932

This is probably not risk you want.

I even offered to partner and set up managed instances for customers protected by 2-factor and IP restrictions.

Oh, and the product development decision on Crowd on this ticket is pretty much saying security is not a focus: https://jira.atlassian.com/browse/CWD-677

In 2015, every site, and I do mean every, should have two-factor authentication - especially ones that deal with mission-critical business data such as the Atlassian suite.

While Support has told customers (reading from customer comments) to go with the self-hosted solution of the products, we know for many that is just not possible, hence why the Atlassian Cloud is such a viable solution.

Can Atlassian please prioritize security higher in 2016, implement two-factor authentication and IP restrictions in all their products, or at a minimum provide the hook for marketplace add-ons to do it for Atlassian Cloud? (I would love to use Duo: https://jira.atlassian.com/browse/CLOUD-7828 )

Thanks,

Tom

Go2Group has a commercial shrink wrapped available solution for two-factor authentication for RSA as well as US Government and NATO CAC and PIV cards and also commercial smart cards.

See http://www.go2group.com/security/

That this isn't implemented is a huge negative for Atlassians products.

I'm tired of waiting for Atlassian. I will provide an Atlassian managed cloud for you to get two-factor authentication and IP restrictions. If you are open to this idea, let me know here: http://smsworkflow.com/site/managed-cloud-interest/

Voting for this as well. Insane that a product at this price point doesn't natively support 2 factor. I would rather not use a plugin or 3rd party to accomplish this.

Another would be to support proper integration with Duo Security. We worked around the lack of this built-in 2FA support by using Duo's LDAP authentication proxy. It was a pain to set up and the integration is poor (authentication just hangs until the login is approved via Duo, and the error messages if 2FA fails are meaningless), but it does mostly work.

Support for 2-FA could be implemented in several ways. To be constructive, here're some ideas:

• Optionally require 2-FA only if user is authenticating from a new device
• Support Yubikey
• Support Google Authenticator
• Support HOTP and/or FIDO U2F
• Support Push notification to your mobile app with the OTP

It's a really big disappointment that Atlassian doesn't support 2-FA yet. It's 2015 guys, seriously!

we are using Thycotic to protect access to confluence. It is laughable that atlassian still has not released anything re this. not even a roadmap! - i could be wrong and looking forward to being told they have!

Go2Group has 2 factor working with RSA and with CCA US / NATO CAC and PIV cards. AS well as other smart cards.

These are shrink wrapped products.

We are working on RSA certification right now.

For any cloud-based product, this should be a requirement - especially with the latest attacks being publicized. 2-factor may not be the only mechanism, but relying on a singular user/password scheme is not good enough.

In 2015 2FA-Support should be standard for any commercial product.

We got 2FA working with Crowd by moving our user directory into OpenLDAP and then using Duo's auth proxy to get Duo to do 2FA. This basically works but is not ideal, since there is no UI feedback for the 2FA (it just hangs until the login request is approved), doesn't support Duo sending a text message with an auth code, and users with a hardware token need to append their OTP to the password field. Here's our authproxy.cfg:

[ad_client]
host=localhost
service_account_username=cn=admin,dc=example,dc=com
service_account_password=ADMIN PASSWORD
search_dn=dc=example,dc=com
auth_type=plain
bind_dn=cn=admin,dc=example,dc=com
username_attribute=cn

[ldap_server_auto]
port=3389
client=ad_client
ikey=INTEGRATION KEY
skey=SECRET KEY
api_host=API HOSTNAME
failmode=secure
exempt_primary_bind=false
exempt_ou_1=cn=admin,dc=example,dc=com

This assumes that slapd is running on the same server as Crowd. You just switch Crowd's LDAP connector to connect to port 3389 (duoauthproxy) instead of 389 (slapd itself).

You can also use SSO with 2FA if VPN is not acceptable (again, this is my personal, temporary, suggestion until atlassian implement it in their products)

Ingomar, you misunderstood that. I don't work for atlassian, it's the work around I found acceptable...

The fact that Atlassian is pointing their clients which ask for 2FA to VPN is, well, not helping. Leave user experience aside, you may have a much larger population of Atlassian product users than VPN users. VPN is support intensive.

Found this:
When we make internal decisions we ask ourselves "how will this affect our customers?" If the answer is that it would 'screw' them, or make life more difficult, then we need to find a better way. We want the customer to respect us in the morning.

Laurent, you could temporarily secure access to atlassian by enforcing use of VPN to connect to atlassian which would require 2 factor authentication. I know it's not ideal, but would increase security