So, not available for Crowd server? That would mean no 2FA for under 4500 USD?

sandor-krisztian.andre117904017 this will be available through Crowd Data Center across any Server and Data Center Atlassian products connected to Crowd Data Center. We will be aiming to enable integration with any SAML based IdP.

@Marek that makes a lot of sense. Does that mean that we'll be able to user our Azure AD IdP also for 2FA users? Will this be available for Crowd server version?

Thank you again for your interest in 2FA in Crowd. I wanted to update you that we are going to provide SAML support in Crowd so that you can connect your whole Atlassian self-hosted suite through Crowd Data Center to any SAML based IDP. 
 
This way any 2FA or MFA solution from existing identity providers can be used through Crowd. We have decided not to implement our own native 2FA solution as we have learned that there are many customers using existing 2FA or MFA solution that they would like to use also for their Atlassian suite.
 
We have recently finished the work on Delegated group level admin in Crowd and it is now available in Crowd 3.3 EAP
 
Now, we are starting the work on improved SSO (easier to configure and cross-domain) and SAML support in Crowd. We can not share yet with you anytime lines but we are aiming to deliver it in one our our next releases.
 

🙄

this was added to the Roadmap nearly a year ago, any updates?

Will there be potential integration to use google's Authenticator app for crowd SSO? It makes a lot more sense to use Authenticator for 2FA of our Atlassian products as we already use it for our Google and Amazon 2FA process.

@Charlie Misonne

As I mentioned we are offering a two factor add-on for Atlassian Crowd:

https://marketplace.atlassian.com/plugins/com.secsign.secsign-crowd/server/overview

Within the next days we will publish updates for all our add-ons. Besides a redesign the new versions can read and write custom attributes from an Active Directory to have a deeper integration of your user management system with your crowd and jira/confluence instances to provide a two factor authentication.

If you like to have more information don't hesitate to contact us at info@secsign.com

Cheers

Titus

Any timeline for this feature?

Is there a plan to enable support for MFA O365 "microsoft identity service"?

What is the ETA/release target for this feature?

The SecSign 2FA add-on for Atlassian Cfrowd can be found at https://marketplace.atlassian.com/plugins/com.secsign.secsign-crowd/server/overview

More information about installation and login procedure can be found at https://www.secsign.com/developers/atlassian/crowd-2-factor-authentication-tutorial/

Marek, is there any ETA?

Would be great if this supports both OTP (e.g. Google Authenticator) as well as FIDO U2F (yubikey and others:  https://www.yubico.com/products/yubikey-hardware/yubikey4/ )

@Bryan Bai 

SecSign ID offers 2FA for Crowd, JIRA, Confluence and a great number of other services. With the on-premise setup no information ever leaves your premise, unlike with other solutions. That way you don’t have to worry about information or credential being intercepted by hackers. What is the road block in your scenario?
The SecSign ID authentication is different in that it doesn’t need token, codes or similar. With the PKI-based authentication only a simple touch login is required, while complex cryptographic mechanisms protect the user in the background. More information on the procedure can be found here www.secsign.com
Let me know if you have any questions!

is this crowd 2FA feature will cover all downstream server ? like jira/conflunece/ Bitbucket ? which means I must implement SSO first ? currently 2FA is a road blocker for put our on-premise JIRA/confluence as internet facing instance. 

we are evaluating 3rd party 2FA solution with JIRA and confluence and glad to trial the one with CROWD if possible.

@Marek Radochonski Our organization would love an invite to trial 2FA features for crowd! Specifically, we use DUO Security for our 2FA service and would be amazing to see that integrated with crowd so that we could secure any application using crowd authentication.

mlalpho at clemson dot edu

Good News !

I hope this functionnality could be activated per user directory

 james.chao1593775980 we can not share yet any ETA for this feature however I can confirm that it is on our roadmap as per recent update of the issue. As we will be closer to the early phase of building it we will share with you more details and we will be looking forward to invite you and anyone who would be interested into early validation of our proposed solution to make sure that we are building something that address your needs.

matthew.hutton1332407139 as per recent update of this issue we have decided to put this feature on our roadmap. This feature is not available yet and is not in beta however we will let you as soon as it will be.

what kind of 2FA? will Government CAC auth be supported? is there any kind of ETA?

This feature is currently in beta .

2FA, or not 2FA, that is the question:
Whether 'tis nobler the admin who suffers
The slips and mishaps of outrageous misfortune,
Or to take Arms against a Sea of tickets,
And by opposing close them: to dev, to fix
No more; and by a fix, to say we end
the heart-ache, the thousand natural 'sploits
that Users are heir to? 'Tis a resolution
devoutly to be wished.

I simply cannot believe that a web facing product has so little security available for it.  This is starting to give me cause for alarm.

We were looking into migrating to on-premise or another solution purely because of this issue. Now that SAML SSO is coming however I think we should be able to hook it up to our own identity provider killing two birds with one stone - one less password for users to remember and MFA.

to celebrate the 10 year ignored feature request?

come on Atlassian.. Can you at least respond to all these paying users?

Let's meet up at the 13th of December, 6PM CET here: 

appear.in/crowd-adecadewithout2fa

Any danger of this ever getting implemented? 

almost 10 years since this feature request.

This is crucial for some of our customers. Atlassian, can you please evaluate this need again?

Atlassian, please add 2FA to your On-Demand instance. Please

Correct - similar to Google 2FA. Or if we could do SSO with Google - that would work to. 

I think this request is for 2FA using the time-based  one-time password algorithm — as you have implemented in Bitbucket Cloud.

https://confluence.atlassian.com/bitbucket/two-step-verification-777023203.html

Hi Petter,

Can you describe the type of TFA you are looking for?  

TFA with RSA is already supported.  

Also supported are government and NATO CAC/PIV cards and other variants thereof.  

Hi - all products with sensitive data should support 2FA. For us - this is a crucial feature. We will have to move away from JIRA if you don't add this in a near future. 

Kind regards

// Petter

Can some one from Atlassian please provide update on this request?

Can someone from the Atlassian team please confirm whether 2FA will be rolling out with Atlassian Account later this month, or is this feature still not implemented?

I have a number of key stakeholders who are now pushing for this. Sounds like Atlassian is letting the marketplace sort this out?

Thanks for the updates, what I was trying to say is we have CROWD providing authentication for these devices today in the BACK END. But if we can tie the FRONT END of CROWD authentication to CAC, and leave the BACK END of CROWD authenticating for these other apps. Then we do not need these other applications to be individually worked on with code changes.

Can you provide a solution like that?

Hi James!

We did research on this issue. The issue is not with our CAC/PIV solution, it is lower than that. Even Atlassian SSO is not the issue. We can solve al of this form our side and Atlassian's side.

From what we checked, tools like Jama or SonarQube do not offer a plugin architecture for authentication. Nor does it provide the source code to let us modify the authentication part. And that is a blocker for this to happen. It has nothing to do with Atlassian or Go2Group.

We have implemented many CAC/PIV integrations for other SW products beyond the Atlassian family using Crowd/our CAC/PIV/RSA solutions.

If you can bring these other vendors (such as SonarQube and Jama) to the table with us to solve this, we can do it.

Cheers!
Go2Group

Hi James!

We are looking into this right now. It may be possible.

How about reaching out to us with this request so we can work on it to your requirements. Ping us at
support at go2group.com

We need a CROWD-CAC solution different from the Go2Group solution. Because that solution only works for 1 application at a time. We need a solution that ties CROWD to CAC directly, so that other applications (Atlassian and non-Atlassian like FECRU, Jama, static code analysis) syncing with CROWD authenticate through CAC as well.

Go2Group has 2FA solutions for CAC PIV and RSA.
See: https://www.go2group.com/security/

Approved by DoD Certificate of Networthiness (CON).

This feature (or lack there of) is now one of the reasons we are looking elsewhere for our documentation platform as well. I can understand however how 250 seats might not be a big customer for atlassian. Hopefully this comment goes towards persuading Atlassian to look at this feature as an absolute must requirement in this day and age. Thanks. For anyone wanting to spend some money to solve this problem. [Duo Security] have a really good plugin to offer MFA.

If any project managers are watching this issue, can you give an update on when 2FA might be coming? I was under the impression that it would be included in the rollout of Atlassian Account in the Cloud. When will this be happening? I echo the statements of others on here in that 2FA is absolutely essential for a service such as this!

Same here.

I have been a strong advocate for Atlassian products in my organization. You are losing us as a customer because our security audit flagged Atlassian as an insecure solution due to its lack of 2FA.

Bummer. The move is going to be painful

@rtan while I appreciate you mentioning that, (You guys didn't appear on the regular 'search' rounds when I was poking around before), It's really a shame there isn't any built-in support for this, on an authentication product that we are already paying for. I'm also pretty surprised this isn't higher on their list. I hope that in the long-term, we don't have to rely on third party plugins for the level of security that should already be present

Go2Gorup supports 2 factor authentication 2FA for Crowd.

We have packaged solutions for US Government’s CAC and PIV cards that are certified by DoD.

RSA solution as well.

See: https://www.go2group.com/security/

I hope this is coming VERY soon. We so need that.

It seems this blocks 2FA support for JIRA OnDemand, so, when is this happening?!

Having the ability to have 2 factory authentication (preferably with support for using a system like google-authenticator to allow token centralization) is becoming more and more absolutely critical for our organization. We use almost every single atlassian product, we would looooove 2FA on crowd, which could then be used to set 2FA on multiple sources (since crowd is our centralized auth). one token + one password for multiple atlassian products + generic applications? Honestly, I can't imagine anything that should be higher on the priority list, especially with 2FA turning into a huge selling point on many software in a modern world.

anyway, please atlassian, please move this up your list. The current existing plugins (secureLogin for jira/confluence) are broken.

Actually, Matt, the assistant who answered the inquiry assigned it to a product manager, who then told me that Atlassian is working on getting Atlassian ID implemented first, which would allow them to implement 2FA and that 2FA is on the radar, and he openly admitted they haven't been good at communicating the plan.

So, it is coming. Once each cloud product uses Atlassian ID, my understanding is it'll be a more centralized account-level 2FA.

Tom, did you receive any response from the CEOs? I am also in need of a two-factor authentication solution for Jira/Confluence and would prefer to go with a hosted solution.

I emailed their CEOs via the Contact CEOs link, and this is what I said...

------------------

Hi Scott and Mike,

In case you don't already know this, I want to bring to your awareness the perception that Atlassian is not putting security as a top priority.

Atlassian Cloud, while very enticing to use (in fact I'm a customer), does not support two-factor authentication or IP restrictions (functions that do exist in the self-hosted products through add-ons). I think a number of people are only using the cloud because of the potential promise to have these features simply because JIRA tickets are open for these; however, these tickets are now years old (see: https://jira.atlassian.com/browse/CONF-24322 and https://jira.atlassian.com/browse/CLOUD-2636 ) and I can only imagine are now detracting people from using the solution.

While Bitbucket added two-factor authentication recently, issues arose from using it with integrations such as Bamboo. The workaround has been to use Bitbucket repositories in Git mode, which tells me the Git mode is not protected by two-factor. See: https://jira.atlassian.com/browse/BAM-16282

In addition, Bamboo has required root level AWS credentials, and Atlassian has yet to publish an AWS IAM policy that would lock down the ID. Given that my AWS instance is two-factor protected, Bamboo Cloud is not two-factor protected, and Bamboo requires root-level AWS credentials, someone could bypass additional security on my AWS account through a compromised Bamboo Cloud. See: https://jira.atlassian.com/browse/BAM-11932

This is probably not risk you want.

I even offered to partner and set up managed instances for customers protected by 2-factor and IP restrictions.

Oh, and the product development decision on Crowd on this ticket is pretty much saying security is not a focus: https://jira.atlassian.com/browse/CWD-677

In 2015, every site, and I do mean every, should have two-factor authentication - especially ones that deal with mission-critical business data such as the Atlassian suite.

While Support has told customers (reading from customer comments) to go with the self-hosted solution of the products, we know for many that is just not possible, hence why the Atlassian Cloud is such a viable solution.

Can Atlassian please prioritize security higher in 2016, implement two-factor authentication and IP restrictions in all their products, or at a minimum provide the hook for marketplace add-ons to do it for Atlassian Cloud? (I would love to use Duo: https://jira.atlassian.com/browse/CLOUD-7828 )

Thanks,

Tom

Go2Group has a commercial shrink wrapped available solution for two-factor authentication for RSA as well as US Government and NATO CAC and PIV cards and also commercial smart cards.

See http://www.go2group.com/security/

That this isn't implemented is a huge negative for Atlassians products.

I'm tired of waiting for Atlassian. I will provide an Atlassian managed cloud for you to get two-factor authentication and IP restrictions. If you are open to this idea, let me know here: http://smsworkflow.com/site/managed-cloud-interest/

Voting for this as well. Insane that a product at this price point doesn't natively support 2 factor. I would rather not use a plugin or 3rd party to accomplish this.

Another would be to support proper integration with Duo Security. We worked around the lack of this built-in 2FA support by using Duo's LDAP authentication proxy. It was a pain to set up and the integration is poor (authentication just hangs until the login is approved via Duo, and the error messages if 2FA fails are meaningless), but it does mostly work.

Support for 2-FA could be implemented in several ways. To be constructive, here're some ideas:

• Optionally require 2-FA only if user is authenticating from a new device
• Support Yubikey
• Support Google Authenticator
• Support HOTP and/or FIDO U2F
• Support Push notification to your mobile app with the OTP

It's a really big disappointment that Atlassian doesn't support 2-FA yet. It's 2015 guys, seriously!

we are using Thycotic to protect access to confluence. It is laughable that atlassian still has not released anything re this. not even a roadmap! - i could be wrong and looking forward to being told they have!

Go2Group has 2 factor working with RSA and with CCA US / NATO CAC and PIV cards. AS well as other smart cards.

These are shrink wrapped products.

We are working on RSA certification right now.

For any cloud-based product, this should be a requirement - especially with the latest attacks being publicized. 2-factor may not be the only mechanism, but relying on a singular user/password scheme is not good enough.

In 2015 2FA-Support should be standard for any commercial product.

We got 2FA working with Crowd by moving our user directory into OpenLDAP and then using Duo's auth proxy to get Duo to do 2FA. This basically works but is not ideal, since there is no UI feedback for the 2FA (it just hangs until the login request is approved), doesn't support Duo sending a text message with an auth code, and users with a hardware token need to append their OTP to the password field. Here's our authproxy.cfg:

[ad_client]
host=localhost
service_account_username=cn=admin,dc=example,dc=com
service_account_password=ADMIN PASSWORD
search_dn=dc=example,dc=com
auth_type=plain
bind_dn=cn=admin,dc=example,dc=com
username_attribute=cn

[ldap_server_auto]
port=3389
client=ad_client
ikey=INTEGRATION KEY
skey=SECRET KEY
api_host=API HOSTNAME
failmode=secure
exempt_primary_bind=false
exempt_ou_1=cn=admin,dc=example,dc=com

This assumes that slapd is running on the same server as Crowd. You just switch Crowd's LDAP connector to connect to port 3389 (duoauthproxy) instead of 389 (slapd itself).

You can also use SSO with 2FA if VPN is not acceptable (again, this is my personal, temporary, suggestion until atlassian implement it in their products)

Ingomar, you misunderstood that. I don't work for atlassian, it's the work around I found acceptable...

The fact that Atlassian is pointing their clients which ask for 2FA to VPN is, well, not helping. Leave user experience aside, you may have a much larger population of Atlassian product users than VPN users. VPN is support intensive.

Found this:
When we make internal decisions we ask ourselves "how will this affect our customers?" If the answer is that it would 'screw' them, or make life more difficult, then we need to find a better way. We want the customer to respect us in the morning.

Laurent, you could temporarily secure access to atlassian by enforcing use of VPN to connect to atlassian which would require 2 factor authentication. I know it's not ideal, but would increase security

Now I must found a solution for my company or also my customer. So My choice is
Stop using atlassian product and explain to my customer why we change
get an existing Google App solution
or create mine

We are currently looking into Tokenizer which looks pretty cool.

The main issue with the Atlassian way is that everything needs to be implemented 3 timed (JIRA, Confluence, Crowd)

This would be very valuable to us. We're currently evaluating writing our own solution in house, but would greatly prefer to have a standards-based solution built by Atlassian.

Bert, thanks for that, do you have any plans implementing Google Authenticator in your solution?

We have made progress on two factor authentication for Crowd, Now supporting various 2 factor methods. See http://doc.go2group.com/pages/viewpage.action?pageId=33882973
We are support US Gov ID CAC PIV cards for SSO. Can adapt to others.

RFC 6238 is an open and well supported standard - I agree the other 2fa support is nice but I could definitely see rfc6238 being available by default and the rest being supported through plugins.

+1

I agree with Benjamin, this feature is really needed.

I am rather surprised that Atlassian products still do not support two-factor authentication, when the practice is rapidly becoming industry standard.

It would be almost a two-liner, wouldn't it?

 function GoogleAuthenticatorCode(string secret)
     key := base32decode(secret)
     message := floor(current Unix time / 30)
     hash := HMAC-SHA1(key, message)
     offset := value of last nibble of hash
     truncatedHash := hash[offset..offset+3]  //4 bytes starting at the offset
     Set the first bit of truncatedHash to zero  //remove the most significant bit 
     code := truncatedHash mod 1000000
     pad code with 0 until length of code is 6
     return code 

(Source: http://en.wikipedia.org/wiki/Google_Authenticator)

I implement Atlassian everything, but also MFA. Everyone is implementing MFA, office 365, azure, google, apple account etc. Atlassian products are enterprise tools with all kind of confidential info. How hard is it for someone to keylog/record your password? Look over you shoulder?

I would prefer this security feature over all the countless gimmick updates.

Two Factor Authentication (tfa) is now a standard across many online services from Facebook, LinkedIn, Github etc. Atlassian products need to support this!! http://twofactorauth.org

Internal security audit has identified Crowd as not meeting security requirements. Obviously, we'd prefer that 2-factor be added over switching auth platforms.

I hope there is a real progress for this feature. It is a blocking point for us to move sensitive data into the Confluence.

This is well-intentioned, I'm sure, but this is an issue relating to Crowd's ability to support two-factor authentication in general, not JIRA's or Confluence's, and thus saying 'use Authy' or 'use DUO' is not helpful:

• Crowd may be acting as the identity service for non-supported Atlassian or non-Atlassian products;
• Hosting identity service mechanisms outside the organization might be proscribed (thus, Crowd);
• Sending codes to personal devices may not be allowed;
• Tokens may already be distributed (cards, fobs) that cannot be externally managed.

Third parties have claimed to do it in the past on the Answers site in the past, so it is possible.

DUO-Security has a 2 factor plug in for JIRA / Confluence

From an enterprise perspective, most companies have already implemented their 2 Factor solution. For example RSA Authentication Manager along with various Web Agents. The only way currently to have any solution with Crowd is by applying the two factor request at the Apache or web server level.

Crowd has an opportunity here. It could be the single entry point to the Atlassian application stack, that could support SAML, RSA, CAC, etc... I thought that was the idea?

The smart card market for large corporate/government instances is almost certainly more than 1%, especially in locations where text messages are not allowed or dongles would be redundant.

It doesn't matter what the second factor is, however, if Crowd doesn't bother supporting it.

Holy ticket spam, Brett Taylor. I'd say the number of people looking to use smart cards are < 1% of those looking for two-factor. Most people these days are satisfied with something like Authy (https://www.authy.com/).

Go2Group has SSO for CAC and PIV for Confluence. See SSO CAC and PIV authentication in Marketplace.
https://marketplace.atlassian.com/plugins/G2G-CAC-JIRA
We can extend this solution past CAC and PIV, let us know what you are using. Ping us at sales@go2group.com

Surprised this isn't in yet? Add me to the long list of people awaiting such functionality/support.

This is an extremely necessary update for Atlassian to implement.

+1, it would give me more peace of mind if JIRA OnDemand supported two factor authentication, which I assume is dependent on Crowd support.

If you need a +1, here is my vote.

We've just switched from Google Accounts to Crowd SSO and that has meant the removal of 2-factor authentication (as Google doesn't support 2fa with SSO), and that is bringing in complaints.

Hi everyone
Thanks for your feedback on two-factor auth and I apologise that we have not been able to provide consistent responses to every one of you. Your comments do not go unnoticed - we acknowledge that this is an unresolved issue, and one that is a requirement for some of your organisations. This is on our radar of features/improvements to invest in (which you can imagine is not short). Unfortunately, I can't promise you a specific release time for this at the moment, as it is not planned for the short term. Once we have settled on a more concrete date or release for this, I will provide an update here.
Cheers
Helen Hung
Product Manager

You can have a look at this: http://doc.go2group.com/display/G2GLabs/Client+Cert+Authentication
This supports the two factor CAC card login for JIRA, Confluence and Crowd.
It could be extended to support biometrics, etc.

Is very telling that the atlassian product for integrated identity management and authentication does not support any two factor authentication and in 2011 they asked people to just code their own. As people are mentioning, there is a RFC 4226 HOTP for two factor. I think Crowd needs to support this.

FYI, Google two-factor authnentication uses RFC 4226 HOTP/OATH. Their Google Authenticator mobile app (and others like it) support RFC 4226 as well.

So no special hardware/tokens are needed, and no proprietary servers are needed. The actual calculation is very simple and just requires a SHA-1 hash computation.

Have you taken a look at partnering with crypto card for your two factor auth. Basically there would be a mobile app that generates a one time key for each time you login.

As this doesn't seem to be a priority for Crowd we've integrated OATH HOTP into Apache DS which is backing our Crowd installation. Works quite well and the effort is not too high. Basically all you need is an additional implementation of the Authenticator interface.