Enabling Multifactor Authentication - Bitbucket Cloud

Good morning,

 

Seeing SSO is still not supported when using Bitbucket explicitly in the cloud, we were looking at enabling multi-factor authentication on our Bitbucket instance with the use of SSH Key pairing.

Could somebody confirm that this can be achieved user by user as opposed to forcing MFA for every user? The goal is to minimize impact and transition to MFA gradually.

 

Thanks

1 answer

0 vote

Hi Dimitrios! This has to be done per user, it's not possible to do it in bulk or even enforce it. For more information on how to enable it, you can read Two step verification. However, keep in mind that if you request higher security for some of your content, every user will need to have it enabled in order to access it, as you can see at Control access to your private content.

Let us know if you have any questions!

Ana 

Hi Ana,

Firstly thank you very much for your reply. I will proceed accordingly as you mentioned. One more thing which comes to mind is the SSH_Key pair which is a prerequisite to enabling MFA.

Seeing our Bitbucket subscription is composed of mostly internal company users and a few contractors, do I have the option of creating a single set of SSH key pairs to provide to each user?

 

The reason for this is for better manageability if that makes sense.

 

Also, once MFA is enabled is my understanding correct that only https for applications  using that protocol will be disabled? Ill still be able to log into our Bitbucket Cloud login correct to merge and approve pull requests?

 

Thanks

Hi Ana,

 

There is one important aspect I am missing when enabling multi-factor authentication. When it is stated that https will be disabled, does that only refer to the type of access on repo functions like cloning, pushing, pulling etc. within a project or does that disable https access to the bitbucket console too?

 

What is confusing, is that if only https access to the repo itself is disabled, how does that improve security, when a DEV can then access our Bitbucket account console through https and have access to the repos from there?

Hi Dimitrios

do I have the option of creating a single set of SSH key pairs to provide to each user?

That won't be possible as once an SSH key is entered in Bitbucket, it will give an error if someone else tries to use the same. Every user needs a different SSH key.

Also, once MFA is enabled is my understanding correct that only https for applications  using that protocol will be disabled? Ill still be able to log into our Bitbucket Cloud login correct to merge and approve pull requests?

I'm not sure I quite understand this question. You'll still be able to login to your account normally and perform all the operations you were able to do before, the only difference is that logging in will require an extra step for the added security. Is that what you were asking?

Regarding your latest question:

What is confusing, is that if only https access to the repo itself is disabled, how does that improve security, when a DEV can then access our Bitbucket account console through https and have access to the repos from there?

The Dev will have the same access from the web interface than from the console, he will need to be authenticated too. I'm not sure what you're referring too when you say 'disable https access', afaik that feature is only available in Bitbucket Server. Could you please clarify on this?

Best regards :)

Ana

Hello Ana,

 

Using the same SSH keys is now clear to me.

 

Moving on, this is what is confusing me. (Copied from within the Bitbucket settings page)

 

=====quoted=======

Set up SSH on your account

Once you've enabled two-step verification on your account, you will only be able to clone, push, or pull your repository over SSH. Your HTTPS access to Bitbucket repositories will be disabled. With SSH, you'll also be able to recover your account should you lose your device.

=====end======

 

Does this mean that accessing the repo through apps like Gitbash, PHP composer etc. will only be accessible through SSH and that multi-factor authentication will only be enabled for accessing the web page https://bitbucket.org/company_name?

just want to confirm if multi-factor authentication is enabled on both the console access and web access or only on one of them.

You can still use HTTPS for authentication if you set up an application password: https://confluence.atlassian.com/bitbucket/app-passwords-828781300.html

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Posted Jun 12, 2018 in Bitbucket

Do you use any Atlassian products for your personal projects?

After spinning my wheels trying to get organized enough to write a book for National Novel Writing Month (NaNoWriMo) I took my affinity for Atlassian products from my work life and decided to tr...

22,740 views 26 12
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you