Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Enabling Multifactor Authentication - Bitbucket Cloud

Dspiliopoulos
Dspiliopoulos December 3, 2017

Good morning,

 

Seeing SSO is still not supported when using Bitbucket explicitly in the cloud, we were looking at enabling multi-factor authentication on our Bitbucket instance with the use of SSH Key pairing.

Could somebody confirm that this can be achieved user by user as opposed to forcing MFA for every user? The goal is to minimize impact and transition to MFA gradually.

 

Thanks

Answer
Watch
Like Allen Darnell likes this
3317 views

1 answer

0 votes
Ana Retamal
Ana Retamal
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 4, 2017

Hi Dimitrios! This has to be done per user, it's not possible to do it in bulk or even enforce it. For more information on how to enable it, you can read Two step verification. However, keep in mind that if you request higher security for some of your content, every user will need to have it enabled in order to access it, as you can see at Control access to your private content.

Let us know if you have any questions!

Ana 

View More Comments
Dspiliopoulos
Dspiliopoulos December 4, 2017

Hi Ana,

Firstly thank you very much for your reply. I will proceed accordingly as you mentioned. One more thing which comes to mind is the SSH_Key pair which is a prerequisite to enabling MFA.

Seeing our Bitbucket subscription is composed of mostly internal company users and a few contractors, do I have the option of creating a single set of SSH key pairs to provide to each user?

 

The reason for this is for better manageability if that makes sense.

 

Also, once MFA is enabled is my understanding correct that only https for applications  using that protocol will be disabled? Ill still be able to log into our Bitbucket Cloud login correct to merge and approve pull requests?

 

Thanks

Like
Dspiliopoulos
Dspiliopoulos December 6, 2017

Hi Ana,

 

There is one important aspect I am missing when enabling multi-factor authentication. When it is stated that https will be disabled, does that only refer to the type of access on repo functions like cloning, pushing, pulling etc. within a project or does that disable https access to the bitbucket console too?

 

What is confusing, is that if only https access to the repo itself is disabled, how does that improve security, when a DEV can then access our Bitbucket account console through https and have access to the repos from there?

Like
Ana Retamal
Ana Retamal
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 6, 2017

Hi Dimitrios

do I have the option of creating a single set of SSH key pairs to provide to each user?

That won't be possible as once an SSH key is entered in Bitbucket, it will give an error if someone else tries to use the same. Every user needs a different SSH key.

Also, once MFA is enabled is my understanding correct that only https for applications  using that protocol will be disabled? Ill still be able to log into our Bitbucket Cloud login correct to merge and approve pull requests?

I'm not sure I quite understand this question. You'll still be able to login to your account normally and perform all the operations you were able to do before, the only difference is that logging in will require an extra step for the added security. Is that what you were asking?

Regarding your latest question:

What is confusing, is that if only https access to the repo itself is disabled, how does that improve security, when a DEV can then access our Bitbucket account console through https and have access to the repos from there?

The Dev will have the same access from the web interface than from the console, he will need to be authenticated too. I'm not sure what you're referring too when you say 'disable https access', afaik that feature is only available in Bitbucket Server. Could you please clarify on this?

Best regards :)

Ana

Like
Dspiliopoulos
Dspiliopoulos December 6, 2017

Hello Ana,

 

Using the same SSH keys is now clear to me.

 

Moving on, this is what is confusing me. (Copied from within the Bitbucket settings page)

 

=====quoted=======

Set up SSH on your account

Once you've enabled two-step verification on your account, you will only be able to clone, push, or pull your repository over SSH. Your HTTPS access to Bitbucket repositories will be disabled. With SSH, you'll also be able to recover your account should you lose your device.

=====end======

 

Does this mean that accessing the repo through apps like Gitbash, PHP composer etc. will only be accessible through SSH and that multi-factor authentication will only be enabled for accessing the web page https://bitbucket.org/company_name?

Like
Dspiliopoulos
Dspiliopoulos December 6, 2017

just want to confirm if multi-factor authentication is enabled on both the console access and web access or only on one of them.

Like
jredmond
jredmond
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 6, 2017

You can still use HTTPS for authentication if you set up an application password: https://confluence.atlassian.com/bitbucket/app-passwords-828781300.html

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events