Uploaded image for project: 'Jira Server and Data Center'
  1. Jira Server and Data Center
  2. JRASERVER-20999

Allow user accounts to require two-factor authentication using RFC 4226

    XMLWordPrintable

Details

    • 58
    • 26
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.

      New feature request.

      In light of the recent security hack at Apache, it might be prudent for JIRA to provide some more secure options for user authentication.

      One candidate is two-factor authentication using the RFC 4226 (OATH/HOTP) standard. This requires the user to have a token that will generate the one-time passwords. However, several software tokens now run on cell phones, so this is less of a burden these days. This also requires an ability to configure JIRA with the token's secret hex key, which amounts to adding a new field in the edit user page.

      Instead of using only their password to login, the user would enter their password followed by the one-time password generated by the token. The JIRA authentication code would compute the same one-time password to verify. The algorithm is simple and open source versions exist.

      Examples of software out there using the OATH algorithm (these happen to be written by me):

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              c47b9d1812f1 Archie Cobbs
              Votes:
              156 Vote for this issue
              Watchers:
              124 Start watching this issue

              Dates

                Created:
                Updated: