Hi all,
I have my company account which has the internal SSO provider. However I'm consulting for an organization who have added me, but they have the org settings to require accounts to have two-step authentication.
My SSO provider DOES use 2FA when I login.
Anyway, I login, and get a page that says I need to Enable two-step verification.
So I go through the process to add it to my account... grab the code and enter it, but it says the code is wrong.
I've let it refresh, and double checked the code, but it still won't be accepted.
Is there something that's wrong with my account? Or anything I can get the IT admin to do (other than turn off two-step auth for all)?
Thanks
Hello @Sean Holmesby
Are you able to provide a screenshot of the 2FA screen — even the one that says the code is wrong?
If another organisation adds you to their site — you are an external user from their perspective. The only authentication policy in THEIR org that may be applied to you that requires 2FA is the External User Policy. This is applied AFTER you've authenticated to Atlassian Cloud in general via your own IdP and your own IdP's 2FA.
The External User Policy only has two possible 2FA settings — email one-time password or SSO via IdP (THEIR IdP not yours): https://support.atlassian.com/security-and-access-policies/docs/available-external-user-security-settings/
Since you are saying you are presented with a request to enrol in 2FA — this sounds like the IdP option, not the Atlassian one. This is what I want to confirm with a screenshot.
If the screens are in fact Atlassian – this is unexpected and is probably worthy raising with support.atlassian.com
Hi, @Sean Holmesby 👋
This may depend on which security policy is actually being applied to your account.
MFA in your own SSO/identity provider is not always the same thing as Atlassian account two-step verification. If SAML SSO is enforced for managed accounts, two-step verification is usually handled in the identity provider rather than through Atlassian’s authentication policy.
Atlassian’s docs mention that:
For managed accounts with enforced SSO, two-step verification is normally handled in the identity provider: https://support.atlassian.com/security-and-access-policies/docs/enforce-two-step-verification/
For external users, the organization can enforce additional verification through external user security settings: https://support.atlassian.com/security-and-access-policies/docs/authentication-policy-settings-for-your-organizations/
Atlassian also has a troubleshooting page for two-step verification login issues here:
https://support.atlassian.com/atlassian-account/docs/login-issues-related-to-two-step-verification/
What I’d ask the consulting org admin to check:
Hope this helps! 💙
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The external user policy doesn't support authenticating with an Authenticator – only SSO via an IdP or an email one-time code: https://support.atlassian.com/security-and-access-policies/docs/available-external-user-security-settings/
The way this is described it sounds like that other organisation is using their own IdP so the issue is there not in Atlassian at all.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks @Ed Letifov _TechTime - New Zealand_ - good catch! 🙌
So in Sean’s case, I'd separate this into two possibilities:
Either way, the best next step is probably for the consulting org admin to check which policy is actually being applied to their account, because the error page wording may not make that very obvious from the user side.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Yeah @Brita Moorus but the "Atlassian account / managed account 2SV" will not apply to @Sean Holmesby account in somebody else's org — his account is already claimed by HIS org, and his own org's IdP (with 2FA) applies to that.
And the email one wouldn't require one to enrol in 2FA.
So it's either that other org's IdP problem or something very wrong with Sean's Atlassian account indeed.
Like: was the email invited to the other org ACTUALLY the same? Was there a request to set password? (the wouldn't be one if it's the same Atlassian account)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks, that makes sense, and thanks for clarifying 💙
I was mixing in the broader Atlassian account two-step verification flow too much. If their account is already managed by his own org then the consulting org’s policy should apply to him as an external user only.
So yes, a screenshot would probably be the best next step to confirm whether they are seeing Atlassian’s screen or the consulting org’s IdP screen. If it is really Atlassian asking for authenticator-based two-step verification, then that sounds like something Atlassian should check on their end.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for your responses.
The two-step verification page appears to me to be an Atlassian 2FA page.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
1) OK so this is Bitbucket Cloud 2FA, which is separate from Atlassian Cloud organisation setup / Guard. Probably a legacy Bitbucket instance and/or hasn't been integrated with Atlassian Cloud organisation properly.
2) If the code is not being accepted back in that very page – that's a problem worthy raising with Atlassian. No need to talk about your IdP, your 2FA, etc. — this is just a problem with Bitbucket 2FA
3) You may want to delete the images you've posted or at least redact them — as they show your email address AND the TOTP key
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@Ed Letifov _TechTime - New Zealand_ Thanks. I've updated the images. I will chase this up with Atlassian.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Interesting one.
A few questions that might help narrow this down:
For the organization’s admin, I’d ask them to verify:
That should help determine whether this is a policy/configuration issue or a problem with the 2SV setup itself.
And if you have sorted or solved this, please share the knowledge and spread the word.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for your response. Here are my answers to your questions.
- I use my company SSO to authenticate. Not through Atlassian Guard.
- I believe it's Atlassian account 2FA being asked for. Screenshot below.
- I've tried Authy once, and Authenticator... both on iPhone. Yes time is auto synced also.
- Yes, tried the newly generated code as well.
Thanks for the advice, I'll check in with the org admin on my account details.
Here is the screenshots of the 2FA requirement.
Thanks
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Have you had chance to see the issue is? Curious to know
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.