Uploaded image for project: 'Identity'
  1. Identity
  2. ID-8500

Allow user accounts to require two-factor authentication using RFC 4226



    • 4
    • 23
    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.


      NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion.

      New feature request.

      In light of the recent security hack at Apache, it might be prudent for JIRA to provide some more secure options for user authentication.

      One candidate is two-factor authentication using the RFC 4226 (OATH/HOTP) standard. This requires the user to have a token that will generate the one-time passwords. However, several software tokens now run on cell phones, so this is less of a burden these days. This also requires an ability to configure JIRA with the token's secret hex key, which amounts to adding a new field in the edit user page.

      Instead of using only their password to login, the user would enter their password followed by the one-time password generated by the token. The JIRA authentication code would compute the same one-time password to verify. The algorithm is simple and open source versions exist.

      Examples of software out there using the OATH algorithm (these happen to be written by me):


        Issue Links



              Unassigned Unassigned
              c47b9d1812f1 Archie Cobbs
              82 Vote for this issue
              63 Start watching this issue