Uploaded image for project: 'Jira Cloud'
  1. Jira Cloud
  2. JRACLOUD-20999

Allow user accounts to require two-factor authentication using RFC 4226

    XMLWordPrintable

Details

    • 1
    • 23
    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

    Description

      NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion.

      New feature request.

      In light of the recent security hack at Apache, it might be prudent for JIRA to provide some more secure options for user authentication.

      One candidate is two-factor authentication using the RFC 4226 (OATH/HOTP) standard. This requires the user to have a token that will generate the one-time passwords. However, several software tokens now run on cell phones, so this is less of a burden these days. This also requires an ability to configure JIRA with the token's secret hex key, which amounts to adding a new field in the edit user page.

      Instead of using only their password to login, the user would enter their password followed by the one-time password generated by the token. The JIRA authentication code would compute the same one-time password to verify. The algorithm is simple and open source versions exist.

      Examples of software out there using the OATH algorithm (these happen to be written by me):

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              c47b9d1812f1 Archie Cobbs
              Votes:
              81 Vote for this issue
              Watchers:
              63 Start watching this issue

              Dates

                Created:
                Updated: