Uploaded image for project: 'Identity'
  1. Identity
  2. ID-8500

Allow user accounts to require two-factor authentication using RFC 4226

XMLWordPrintable

    • 4
    • 2

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion.

      New feature request.

      In light of the recent security hack at Apache, it might be prudent for JIRA to provide some more secure options for user authentication.

      One candidate is two-factor authentication using the RFC 4226 (OATH/HOTP) standard. This requires the user to have a token that will generate the one-time passwords. However, several software tokens now run on cell phones, so this is less of a burden these days. This also requires an ability to configure JIRA with the token's secret hex key, which amounts to adding a new field in the edit user page.

      Instead of using only their password to login, the user would enter their password followed by the one-time password generated by the token. The JIRA authentication code would compute the same one-time password to verify. The algorithm is simple and open source versions exist.

      Examples of software out there using the OATH algorithm (these happen to be written by me):

            [ID-8500] Allow user accounts to require two-factor authentication using RFC 4226

            Pawel Cieszko added a comment -

            Both Cloud and Data Center solutions support 2SV.

            https://confluence.atlassian.com/enterprise/manage-two-step-verification-for-your-atlassian-account-1384125346.html

            https://support.atlassian.com/atlassian-account/docs/manage-two-step-verification-for-your-atlassian-account/ 

            Pawel Cieszko added a comment - Both Cloud and Data Center solutions support 2SV. https://confluence.atlassian.com/enterprise/manage-two-step-verification-for-your-atlassian-account-1384125346.html https://support.atlassian.com/atlassian-account/docs/manage-two-step-verification-for-your-atlassian-account/  

            Archie Cobbs added a comment -

            Although this is a few months late, as the creator of this issue, I want to be the first to say HAPPY TENTH BIRTHDAY!!! 🎈🎉

            Archie Cobbs added a comment - Although this is a few months late, as the creator of this issue, I want to be the first to say HAPPY TENTH BIRTHDAY!!! 🎈🎉

            Andrea Rodriguez added a comment -

            Is there a target date for releasing this 2FA?

            Andrea Rodriguez added a comment - Is there a target date for releasing this 2FA?

            Yaroslav Filyk added a comment -

            Bitbucket already has support for U2F keys which is immensely helpful.

            Just need to add it to Jira now.

            Yaroslav Filyk added a comment - Bitbucket already has support for U2F keys which is immensely helpful. Just need to add it to Jira now.

            Michael Yecies added a comment -

            +1 for Yubico / Yubikey.

            Michael Yecies added a comment - +1 for Yubico / Yubikey.

            Sylvain Audet added a comment -

            I also vote for Duo Security for Atlassian Cloud and I agree with Bruce that Atlassian is not taking 2FA seriously. All major players are now supporting 2FA an a lot of smaller players are also supporting 2FA. This request was created in 2010 and there's still plan to support 2FA in Atlassian cloud.

            Sylvain Audet added a comment - I also vote for Duo Security for Atlassian Cloud and I agree with Bruce that Atlassian is not taking 2FA seriously. All major players are now supporting 2FA an a lot of smaller players are also supporting 2FA. This request was created in 2010 and there's still plan to support 2FA in Atlassian cloud.

            Bruce Simpson added a comment -

            P.S. We want to use Duo Security for this. I'm not really interested in these other piecemeal 2FA offerings. That's available and ready to roll for bespoke instances, but not Atlassian Cloud / OnDemand.

            Bruce Simpson added a comment - P.S. We want to use Duo Security for this. I'm not really interested in these other piecemeal 2FA offerings. That's available and ready to roll for bespoke instances, but not Atlassian Cloud / OnDemand.

            Bruce Simpson added a comment -

            We need to send out a road warrior to a client in a remote country. The risk profile demands we implement 2FA. We use JIRA and Confluence extensively. The lack of standardised 2FA support for Atlassian's cloud offering is absolutely scandalous. We should not have to incur the technical debt of running & maintaining our own instances to secure it. This is what we pay you for!

            Bruce Simpson added a comment - We need to send out a road warrior to a client in a remote country. The risk profile demands we implement 2FA. We use JIRA and Confluence extensively. The lack of standardised 2FA support for Atlassian's cloud offering is absolutely scandalous. We should not have to incur the technical debt of running & maintaining our own instances to secure it. This is what we pay you for!

            Titus added a comment -

            @Denise Herbst

            What do you mean by "the SecSign items won't work." SecSign ID is much more than just a tool for using „JIRA from the phone“.
            SecSign ID is a challenge response two-factor authentication based on 2048-bit key pairs where you have to use your smartphone as an identifier like a smartcard. This means it is a real two-factor authentication and not just a two-step solution. But of course you can use it even as a two-step solution.
            So it is about the requirements on the two-factor authentication. We would be happy to assist you or to set up a test scenario for your JIRA enviroment.
            Please write us a short email. I am sure that we can help you.

            Kindly regards
            Titus / SecSign Technologies Inc

            https://www.secsign.com/support/
            https://marketplace.atlassian.com/plugins/com.secsign.secsignid/server/overview

            Titus added a comment - @Denise Herbst What do you mean by "the SecSign items won't work." SecSign ID is much more than just a tool for using „JIRA from the phone“. SecSign ID is a challenge response two-factor authentication based on 2048-bit key pairs where you have to use your smartphone as an identifier like a smartcard. This means it is a real two-factor authentication and not just a two-step solution. But of course you can use it even as a two-step solution. So it is about the requirements on the two-factor authentication. We would be happy to assist you or to set up a test scenario for your JIRA enviroment. Please write us a short email. I am sure that we can help you. Kindly regards Titus / SecSign Technologies Inc https://www.secsign.com/support/ https://marketplace.atlassian.com/plugins/com.secsign.secsignid/server/overview

            Denise Herbst added a comment -

            Is this a potential option for 2FA: https://doc.go2group.com/pages/viewpage.action?pageId=33882661
            The website says this is a CAC/PIV Authenticator for the Atlassian Suite

            Denise Herbst added a comment - Is this a potential option for 2FA: https://doc.go2group.com/pages/viewpage.action?pageId=33882661 The website says this is a CAC/PIV Authenticator for the Atlassian Suite

              Unassigned Unassigned
              c47b9d1812f1 Archie Cobbs
              Votes:
              82 Vote for this issue
              Watchers:
              64 Start watching this issue

                Created:
                Updated:
                Resolved: