In our company we have setup Bitbucket (premium level) to use two-step verification (workspace settings -> access controls -> select two-step-ver). Which typically involves just setting up an authorization app on mobile like Authy or Google Authenticator, or MS Authenticator. Along with the team members valid email account number.
To see the projects, and repositories on the dashboard team members are told they have to add a public SSH key to complete the access. Is this additional (3rd step) required and why. While I understand the additional uses and functions that SSH affords. Why is it a necessity here?
Some companies don't allow clients like OpenSSH to be enabled on the desktops. Also not every team or user should be assumed to know how to setup and manage SSH keys (while most probably do - it is still a big assumption).
If SSH is not required with 2FA enabled then please explain what needs to be "unset" to remove the requirement.
Hi @james_dugger ,
When 2FA is enabled for a Bitbucket Cloud account, it is not possible to clone/pull/push to repos via HTTPS with username + password.
This is one of the reason's why it was a requirement to set up SSH before enabling 2FA.
We now provide users the ability to generate app-passwords:
which can be used for authentication when cloning/pulling/pushing via HTTPS instead of the password, even when a user has 2FA enabled.
However, app passwords were introduced about a year after we added support for 2FA, so until then SSH was the only option for interacting with repositories when 2FA was enabled.
Another reason for that requirement was that in case a user loses their phone with the authenticator app and cannot generate a verification code to log in to Bitbucket, they can receive 6 recovery codes by executing this command in the machine that has their SSH keys:
ssh email@example.com recovery_codes
and use them to log in to Bitbucket, disable 2FA, and then set up 2FA again with a new phone. Otherwise, they would be locked out of their account with no option to access it.
We have now added the option for users to request a 2FA recovery email in case they've lost access to their authenticator app, but for security reasons the email is sent after 24 hours, while retrieving recovery codes via SSH could give the user access to their account faster.
I can open a feature request for our development team to rethink this design and remove the SSH requirement, since there are now options both for cloning/pulling/pushing to repos via HTTPS when 2FA is enabled and also for account recovery in case access to the authenticator app is lost (please feel free to let me know if you'd like me to do that).
At the moment, I'm afraid that it is not possible to remove this requirement though.
We have a guide on how to set up SSH keys in our documentation, in case this is useful for your users:
If you have any questions, please feel free to let me know.
Thank you for the response. I would recommend that you open the ticket to have it considered by your development team. Again while I understand that most developers and software engineers using a source control manager like Bitbucket are fully versed in SSH and can easily generate the needed keys, we are by no means the only ones using source control.
To rely on two different protocols (In this case HTTPS & SSH) to "secure" a single product, feels ill conceived if it is anything more than a short term solution. It also limits the security options of the enterprise corporation that is looking to use your product. Without fully vetted standalone solutions in both HTTPS and SSH separately, How do you know your solution is fully secure for either.
However the bigger picture is that there are now whole occupations and industries outside of the traditional IT-developer role that are using/writing code in their work. It is not uncommon for large corporations to have hundreds of professional analysts and data scientists that write SQL, Python, & R to analyze, spreadsheets, databases, and data farms, that have no need for a traditional CI/CD based workflow with access to servers etc that might warrant SSH. These professionals simply write code and use code to connect to and interpret data. However they and there teams still want to version their scripts.
Many of these teams fall outside of the IT organizations in their firms. They typically don't have admin access to there systems and are not included in the Active Directory groups that allow for use of products that use or require SSH. This type of limited code use and version control use case is only going to increase. The VCS management platform that also targets these teams and makes it easy but secure for them to version there work will have a huge advantage in the future. I hope it is Bitbucket.
Thank you for your reply and we appreciate your feedback.
I found that we already have a request for this in our issue tracker:
I would suggest that you add your vote in that request (by selecting the Vote for this issue link) as the number of votes helps the development team and product managers better understand the demand for new features. You are more than welcome to leave any feedback, and you can also add yourself as a watcher (by selecting the Start watching this issue link) if you'd like to get notified via email on updates.
Implementation of new features is done as per our policy here and any updates will be posted in the feature request.
Please feel free to let me know if you have any questions.
Hey Community! We’re willing to wager that quite a few of you not only use Bitbucket, but administer it too. Our team is excited to share that we’ll be releasing improvements throughout this month of...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events