Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

2FA is disabled but 8-digit code is needed (2FA was never enabled)

Martin Atanasov
Martin Atanasov November 13, 2024

Hi,
I have an account which is used for many things one of them is automated cleaning of the instance. In order to clean my instances I have to be logged in. I found out that when I try to log in from other than my main browser I have to enter this 8-digit code. Not to be confused with the 6-digit by the MFA. Also when I run the code for cleaning the instance using docker I was able to reproduce the problem every time.
I would like to know when does this 8-digit code appears and why since I was not able to find useful information about it.

I have found this question but I have not enabled the 2FA anywhere ever:

https://community.atlassian.com/t5/Bitbucket-questions/MFA-is-disabled-but-keeps-asking-for-two-step-verification-on/qaq-p/1507904

To reproduce the problem try to log in from your main PC but use a browser you rarely use.

NOTE for the atlassian employees. the account I am having problems with is not my current account. if you need still the email of the account, provide an email to which I can share more information.

Answer
Watch
Like Be the first to like this
448 views

4 answers

2 votes
Kristian Klima
Kristian Klima
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
November 14, 2024

Hi @Martin Atanasov and welcome to the Community.

Frankly, with the account issues I'd contact Atlassian Support directly.

https://support.atlassian.com/contact/#/

They solved my issues (I used a federated login and login with my email (identical to my federated login email) at the same time... ) pretty much instantly.

Reply
0 votes
Ed Letifov _TechTime - New Zealand_
Ed Letifov _TechTime - New Zealand_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 12, 2024

@Martin Atanasov 

I've encountered this recently with one of our customers and reached out to support to get to the bottom of this.

Apparently this is "an additional layer of security" and "Atlassian implemented this feature to provide robust security measures based on our experience with how information can be mishandled" and "due to the security policy, the exact logic can't be shared".

As far as I can tell this gets triggered by the account being or becoming an org admin in some Cloud org, and possibly only in the new user management experience.

After that any change to the IP address, or your browser (I am guessing this is based on the User Agent string) will trigger this if the combination hasn't been seen by Atlassian before...

This is platform-wide and cannot be disabled by Atlassian.

And apparently the workaround is to enable the real 2FA :(

So, same as with automated tests... possibly a use of some OTPAuth library can solve this for your case :(

Reply
0 votes
Erik Spears
Erik Spears
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
November 15, 2024

Hi,

We have a free subscription of the Cloud products that our development team is using, and we've started experiencing exactly this problem in the last week or so.  One of the accounts in our instance, for which MFA is disabled, has started receiving the email verifications all of a sudden.  This is a breaking change for some of our work (specifically an OAuth2 app we're developing).  The API Token approach won't work as we need to complete the OAuth2 flow before making any REST calls.

When viewing our Directory, it indicates that all of our users are External, including me, and I setup the instance.  We have not claimed a Domain, and we do not have access to Atlassian Guard as this is a dev instance for us.

Has anyone found a way to deactivate the email verification codes for specific accounts or even an entire Org?

Many thanks,

--Erik

View More Comments
Ed Letifov _TechTime - New Zealand_
Ed Letifov _TechTime - New Zealand_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 15, 2024

Hello, @Erik Spears 

I am from TechTime, a Platinum Atlassian Solution Partner in New Zealand and Australia, and specifically specialise in identity and Guard setup for our customers.

I have to say this is a bit puzzling. It's either something new by Atlassian, or a lot more specific information is required to remove false possibilities here... and a public forum like this is not a place for such work.

Please review this page regarding "External users": https://support.atlassian.com/security-and-access-policies/docs/who-are-external-users/

If an organisation that controls your email domain have verified this domain, and claimed some accounts – if the account that exhibits this behaviour is unclaimed, it would be considered external. At the same time your own account maybe claimed and doesn't exhibit this behaviour.

This however was always understood as "...when accessing sites that belong to this organisation"

Run a "dig" search for TXT records against the domain of this account using this service: https://toolbox.googleapps.com/apps/dig/

If you see a record with the value like below – someone did verify this domain in some Atlassian Cloud org:

atlassian-domain-verification=....

So, from that instance, does your "admin cog" menu (top right, next to the avatar) display "Cloud administration" or "User Management"?

If you go there do you end up on admin.atlassian.com?

Does it show some organisation name top left next to the Atlassian logo?

Is this name the same as the site name or different?

If it's the same (which is what will happen if you just create a site "out of the blue", and this would make you the org admin), and there are no domains verified in top menu Directory/Domains or Settings/Domains (depends on the version of "User Management experience" you are on) then this deserves a ticket to Atlassian.

So please confirm the above and I will raise a ticket as a Partner, to help you and also to solve the puzzle :)

Though an org admin from another Cloud organisation that controls your domain can join as org admin of yours via "Discovered Products" (see: https://support.atlassian.com/organization-administration/docs/review-discovered-products/) transferring your products to their organisation is a hassle and a pain this days (since Transfer products functionality doesn't work with the new "centralised user management" experience)

If the organisation is named differently, and you didn't name it that way, or you don't have access to the organisation management at all – this sounds like your site (=instance) belongs to an organisation or have been taken control by an organisation  that controls your domain, and has configured an external user policy, and this problematic account is not recognised as "theirs" i.e. being treated as an external account.

Like
Reply
0 votes
Ed Letifov _TechTime - New Zealand_
Ed Letifov _TechTime - New Zealand_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 14, 2024

Hello, @Martin Atanasov 

The combination of "8-digit code" and "the account I am having problems with is not my current account" makes me think of Atlassian Guard's "external user policy".

If this account you are using in your organisation's main email domain?

See:

If this is what you are experiencing then this was done/changed by the Org Administrators of the organisation to which this instance belongs. Assuming they've enabled 2FA for external users for a reason, you are out of luck as it's not possible to exclude a specific external user from this policy.

If the domain in fact is under control of your organisation – you can now claim selected accounts from the same domain in different Atlassian Cloud organisation, so you should claim this account, and put it into a dedicated no-MFA policy in your Guard.

If the domain is not under your control – the only option is to switch to using a user in the domain that is under your control.

Reply

Suggest an answer

Log in or Sign up to answer
Atlassian logo
Atlassian Account
TAGS
AUG Leaders

Atlassian Community Events

    See all events