Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Bitbucket LFS, Access Keys & 2FA

We are getting an authentication failure when trying to clone a Bitbucket repo with LFS enabled using an access key, which we think might be related to having 2-factor authentication.

With GIT_TRACE=1 git clone resulted in this:

trace git-lfs: tq: sending batch of size 1
trace git-lfs: ssh cache: git-lfs-authenticate XXXX/XXXX.git download
trace git-lfs: api: batch 1 files
trace git-lfs: HTTP: POST
trace git-lfs: HTTP: 403
trace git-lfs: HTTP: {"type": "error", "error": {"message": "To access this repository, enable two-step verification."}}
trace git-lfs: api error: Authorization error:
Check that you have proper access to the repository

Our admin temporarily disabled 2FA and the clone was successful.

A clone with an account level SSH key is also successful.

Unfortunately we have constraints that mean we need both 2FA and to use a repo Access Key.

Is this expected behaviour or a bug?





1 answer

1 accepted

0 votes
Answer accepted
Ana Retamal Atlassian Team Jun 12, 2018

Hi Tom! Apologies for the delayed response, hopefully it will still help you or someone else from our Community :) 

If you set “ensure that the user has 2FA” there are only two ways to clone the repos:

  1. Using SSH

  2. Using app password (only method supported while using HTTPS)

You won't be able to clone it using your regular credentials, you'll need to use your username (not the email address) and the app password. If you need more info ron how to generate it, please read App passwords.


Let us know if you have any questions!
Kind regards,

I don't believe this answers the question, and I'm running into the same problem. The question is about Git LFS failing. Normal Git operations work fine against SSH, but if you are using an SSH Access Key (repository-scoped) and try to perform LFS commands on an organization that enforces 2FA, then LFS commands fail with a 403 error.

To reproduce:

  • Create a repository with LFS and push up at least one file that is in LFS
  • Set your organization to enforce 2FA
  • Create a repository Access Key by uploading a public key
  • Standard Git Clone and Fetch commands work fine on that repo
  • Git LFS commands fail

Git LFS operates over HTTPS, but a repo Access Key is only an SSH key. This normally isn't a problem for Git LFS, because the protocol is designed to use SSH to download a temporary HTTPS authentication header using `git-lfs-authenticate`:

ssh git-lfs-authenticate myworkspace/myrepo.git download

This command successfully returns a JWT intended for use within subsequent Git LFS HTTPS operations. (you can see this chatter if you set GIT_CURL_VERBOSE=1)

That JWT authentication token works fine if your organization does not enfore 2FA.

However, if your organization enforces 2FA, then the HTTPS attempts using that JWT token fail with a 403 and the message "To access this repository, enable two-step verification."

And that's the problem: The SSH key is tied to a repository-scoped Access Key, which has no chance of having 2FA.

This effectively means that Access Keys are unusable on repos relying on LFS, when your organization enforces 2FA.

Like Jesse Shaver likes this

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Bitbucket

📣 Calling Bitbucket Data Center customers to participate in research

Hi everyone, Are you Bitbucket DC customer? If so, we'd love to talk to you! Our team wants to dive deep to understand your long-term plans regarding Bitbucket DC and Atlassian Cloud. Do you plan...

184 views 2 4
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you