Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Why is an SSH key required with two step authorization?

james_dugger
james_dugger March 16, 2021

In our company we have setup Bitbucket (premium level) to use two-step verification (workspace settings -> access controls -> select two-step-ver).  Which typically involves just setting up an authorization app on mobile like Authy or Google Authenticator, or MS Authenticator.  Along with the team members valid email account number.  

To see the projects, and repositories on the dashboard team members are told they have to add a public SSH key to complete the access.  Is this additional (3rd step) required and why. While I understand the additional uses and functions that SSH affords.  Why is it a necessity here?  

Some companies don't allow clients like OpenSSH to be enabled on the desktops.  Also not every team or user should be assumed to know how to setup and manage SSH keys (while most probably do - it is still a big assumption).

If SSH is not required with 2FA enabled then please explain what needs to be "unset" to remove the requirement.

Answer
Watch
Like Be the first to like this
414 views

1 answer

0 votes
Theodora Boudale
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 17, 2021

Hi @james_dugger ,

When 2FA is enabled for a Bitbucket Cloud account, it is not possible to clone/pull/push to repos via HTTPS with username + password.

This is one of the reason's why it was a requirement to set up SSH before enabling 2FA.
We now provide users the ability to generate app-passwords:

which can be used for authentication when cloning/pulling/pushing via HTTPS instead of the password, even when a user has 2FA enabled.

However, app passwords were introduced about a year after we added support for 2FA, so until then SSH was the only option for interacting with repositories when 2FA was enabled.

Another reason for that requirement was that in case a user loses their phone with the authenticator app and cannot generate a verification code to log in to Bitbucket, they can receive 6 recovery codes by executing this command in the machine that has their SSH keys:

ssh git@bitbucket.org recovery_codes

and use them to log in to Bitbucket, disable 2FA, and then set up 2FA again with a new phone. Otherwise, they would be locked out of their account with no option to access it.

We have now added the option for users to request a 2FA recovery email in case they've lost access to their authenticator app, but for security reasons the email is sent after 24 hours, while retrieving recovery codes via SSH could give the user access to their account faster.

I can open a feature request for our development team to rethink this design and remove the SSH requirement, since there are now options both for cloning/pulling/pushing to repos via HTTPS when 2FA is enabled and also for account recovery in case access to the authenticator app is lost (please feel free to let me know if you'd like me to do that).

At the moment, I'm afraid that it is not possible to remove this requirement though.

We have a guide on how to set up SSH keys in our documentation, in case this is useful for your users:

If you have any questions, please feel free to let me know.

Kind regards,
Theodora

View More Comments
james_dugger
james_dugger March 18, 2021

Theadora,

Thank you for the response.  I would recommend that you open the ticket to have it considered by your development team.  Again while I understand that most developers and software engineers using a source control manager like Bitbucket are fully versed in SSH and can easily generate the needed keys, we are by no means the only ones using source control. 

To rely on two different protocols (In this case HTTPS & SSH) to "secure" a single product, feels ill conceived if it is anything more than a short term solution.  It also limits the security options of the enterprise corporation that is looking to use your product.  Without fully vetted standalone solutions in both HTTPS and SSH separately, How do you know your solution is fully secure for either. 

However the bigger picture is that there are now whole occupations and industries outside of the traditional IT-developer role that are using/writing code in their work.  It is not uncommon for large corporations to have hundreds of professional analysts and data scientists that write SQL, Python, & R to analyze, spreadsheets, databases, and data farms, that have no need for a traditional CI/CD based workflow with access to servers etc that might warrant SSH.  These professionals simply write code and use code to connect to and interpret data.  However they and there teams still want to version their scripts. 

Many of these teams fall outside of the IT organizations in their firms.  They typically don't have admin access to there systems and are not included in the Active Directory groups that allow for use of products that use or require SSH.  This type of limited code use and version control use case is only going to increase.  The VCS management platform that also targets these teams and makes it easy but secure for them to version there work will have a huge advantage in the future.  I hope it is Bitbucket.

Like
Theodora Boudale
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 31, 2021

Hi James,

Thank you for your reply and we appreciate your feedback.

I found that we already have a request for this in our issue tracker:

I would suggest that you add your vote in that request (by selecting the Vote for this issue link) as the number of votes helps the development team and product managers better understand the demand for new features. You are more than welcome to leave any feedback, and you can also add yourself as a watcher (by selecting the Start watching this issue link) if you'd like to get notified via email on updates.

Implementation of new features is done as per our policy here and any updates will be posted in the feature request.

Please feel free to let me know if you have any questions.

Kind regards,
Theodora

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events