Good morning,
Seeing SSO is still not supported when using Bitbucket explicitly in the cloud, we were looking at enabling multi-factor authentication on our Bitbucket instance with the use of SSH Key pairing.
Could somebody confirm that this can be achieved user by user as opposed to forcing MFA for every user? The goal is to minimize impact and transition to MFA gradually.
Thanks
Hi Dimitrios! This has to be done per user, it's not possible to do it in bulk or even enforce it. For more information on how to enable it, you can read Two step verification. However, keep in mind that if you request higher security for some of your content, every user will need to have it enabled in order to access it, as you can see at Control access to your private content.
Let us know if you have any questions!
Ana
Hi Ana,
Firstly thank you very much for your reply. I will proceed accordingly as you mentioned. One more thing which comes to mind is the SSH_Key pair which is a prerequisite to enabling MFA.
Seeing our Bitbucket subscription is composed of mostly internal company users and a few contractors, do I have the option of creating a single set of SSH key pairs to provide to each user?
The reason for this is for better manageability if that makes sense.
Also, once MFA is enabled is my understanding correct that only https for applications using that protocol will be disabled? Ill still be able to log into our Bitbucket Cloud login correct to merge and approve pull requests?
Thanks
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ana,
There is one important aspect I am missing when enabling multi-factor authentication. When it is stated that https will be disabled, does that only refer to the type of access on repo functions like cloning, pushing, pulling etc. within a project or does that disable https access to the bitbucket console too?
What is confusing, is that if only https access to the repo itself is disabled, how does that improve security, when a DEV can then access our Bitbucket account console through https and have access to the repos from there?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Dimitrios
do I have the option of creating a single set of SSH key pairs to provide to each user?
That won't be possible as once an SSH key is entered in Bitbucket, it will give an error if someone else tries to use the same. Every user needs a different SSH key.
Also, once MFA is enabled is my understanding correct that only https for applications using that protocol will be disabled? Ill still be able to log into our Bitbucket Cloud login correct to merge and approve pull requests?
I'm not sure I quite understand this question. You'll still be able to login to your account normally and perform all the operations you were able to do before, the only difference is that logging in will require an extra step for the added security. Is that what you were asking?
Regarding your latest question:
What is confusing, is that if only https access to the repo itself is disabled, how does that improve security, when a DEV can then access our Bitbucket account console through https and have access to the repos from there?
The Dev will have the same access from the web interface than from the console, he will need to be authenticated too. I'm not sure what you're referring too when you say 'disable https access', afaik that feature is only available in Bitbucket Server. Could you please clarify on this?
Best regards :)
Ana
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Ana,
Using the same SSH keys is now clear to me.
Moving on, this is what is confusing me. (Copied from within the Bitbucket settings page)
=====quoted=======
Once you've enabled two-step verification on your account, you will only be able to clone, push, or pull your repository over SSH. Your HTTPS access to Bitbucket repositories will be disabled. With SSH, you'll also be able to recover your account should you lose your device.
=====end======
Does this mean that accessing the repo through apps like Gitbash, PHP composer etc. will only be accessible through SSH and that multi-factor authentication will only be enabled for accessing the web page https://bitbucket.org/company_name?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
just want to confirm if multi-factor authentication is enabled on both the console access and web access or only on one of them.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You can still use HTTPS for authentication if you set up an application password: https://confluence.atlassian.com/bitbucket/app-passwords-828781300.html
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.