Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-20999

Allow user accounts to require two-factor authentication using RFC 4226



    • 41
    • 26
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.


      NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.

      New feature request.

      In light of the recent security hack at Apache, it might be prudent for JIRA to provide some more secure options for user authentication.

      One candidate is two-factor authentication using the RFC 4226 (OATH/HOTP) standard. This requires the user to have a token that will generate the one-time passwords. However, several software tokens now run on cell phones, so this is less of a burden these days. This also requires an ability to configure JIRA with the token's secret hex key, which amounts to adding a new field in the edit user page.

      Instead of using only their password to login, the user would enter their password followed by the one-time password generated by the token. The JIRA authentication code would compute the same one-time password to verify. The algorithm is simple and open source versions exist.

      Examples of software out there using the OATH algorithm (these happen to be written by me):


        Issue Links



              Unassigned Unassigned
              c47b9d1812f1 Archie Cobbs
              160 Vote for this issue
              132 Start watching this issue