Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

2FA security bug on login?

travistst June 24, 2024

Why did i just have to setup 2FA again? I already had 2FA setup. I logged in today and got prompted to setup 2FA again. So i proceeded to see what would happen. Setup was successful and i was also able to use a key from old 2FA setup to login to my account. Now i have 2 2FA codes i can use to get into my account. Looks like a security bug.

2 answers

1 accepted

0 votes
Answer accepted
travistst June 25, 2024

Hello, I see "essentially you will first need to authenticate with your Atlassian Account before you are able to authenticate with your Bitbucket Cloud account." That doc was last updated 15 Sept 2023? How did i not get a prompt to enable the other 2FA before yesterday? Multiple web logins since 15 Sept 2023 and not until yesterday do i get prompted with a confusing request to enable another 2FA.

That doc seems focused on if users forgot or don't know one of the other factors. As of today i have to go through 3 steps. This is what my login flow looks like now:

  1. Visit atlassian to view my bitbucket, click login
  2. Enter username and password
    1. redirect to 2FA
  3. Enter 2FA code
    1. redirected to another 2FA
  4. Enter a different 2FA code
  5. Access repository

The link says i can disable one, but how do i know which one i should disable without dissecting all atlassian resources or compromising security? How do i directly login to my bitbucket instead of having to go through redirects and enter 3 forms of auth? Is there a specific link i can visit to get past this when i just want to login to bitbucket? It seems more like a engineering bug with the work around being this confusing UX. Did someone just push the code to prompt for the extra 2FA yesterday?

 

travistst July 9, 2024

No response to the direct questions? I guess "We received your request. Help is on the way! An Atlassian Support Engineer will review the post and respond on this thread within 2 business days." is also just words that don't mean anything.

1 vote
Ben
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 24, 2024

Hi travistst,

There are 2 layers of MFA present here, one layer is at the Atlassian account level and the other is at the Bitbucket Cloud account level - more information may be found below:

Hope this helps.

Cheers!

- Ben (Bitbucket Cloud Support)

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events