Status: Gathering Interest (View Workflow)
NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion.
New feature request.
In light of the recent security hack at Apache, it might be prudent for JIRA to provide some more secure options for user authentication.
One candidate is two-factor authentication using the RFC 4226 (OATH/HOTP) standard. This requires the user to have a token that will generate the one-time passwords. However, several software tokens now run on cell phones, so this is less of a burden these days. This also requires an ability to configure JIRA with the token's secret hex key, which amounts to adding a new field in the edit user page.
Instead of using only their password to login, the user would enter their password followed by the one-time password generated by the token. The JIRA authentication code would compute the same one-time password to verify. The algorithm is simple and open source versions exist.
Examples of software out there using the OATH algorithm (these happen to be written by me):
- OATH Token for iPhone
- mod_authn_otp Apache authentication module.
- is related to
CONFCLOUD-24322 Two Factor authorization, like Gmail has, to Confluence
JRASERVER-20999 Allow user accounts to require two-factor authentication using RFC 4226
- Gathering Interest