Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

account recovery without 2FA and ssh-keys

SqdwA
SqdwA May 23, 2017

Hello,

I am a new bitbucket user. I recently setup 2FA (two-factor) on my phone. I also setup ssh-key from my laptop. However, recently I had to reformat my phone, and I lost the 2FA codes. Unfortunately I also lost my ssh-keys as I changed them on my laptop. Now I can't login to bitbucket. Is there any way I can disable 2FA and login with my password? Otherwise, can I reset my account to have a fresh start?

Thank you for your suggestions.

Answer
Watch
Like # people like this
15970 views

13 answers

2 votes
armandocolpa
armandocolpa September 15, 2018

Hi, Ana. So I'm trying to recover my account and I have the ssh keys associated with the account. It's a new laptop, but I always keep backups of my laptop. According to this link

 

https://confluence.atlassian.com/bitbucket/two-step-verification-777023203.html

 

you can get recovery codes by running

 

ssh git@bitbucket.org recovery_codes

 

However, when I run that, I receive the following:

 

=================================================================

$ ssh git@bitbucket.org recovery_codes
Warning: Permanently added 'bitbucket.org,18.205.93.2' (RSA) to the list of known hosts.
PTY allocation request failed on channel 0
logged in as <my username>.

You can use git or hg to connect to Bitbucket. Shell access is disabled.
Connection to bitbucket.org closed.

=================================================================

 

So it was certainly able to find my account and said I was logged in. Then it gave me a "shell access disable" message and didn't print out the recovery codes. I googled around a bit, but haven't found a solution to this. Any help would be great. 

View More Comments
armandocolpa
armandocolpa September 15, 2018

Btw, I'm able to work with my repo (clone, commit, etc).

Like
Reply
0 votes
Deleted user September 14, 2020

I have followed this thread through and yes this resolved my issues:-

ssh git@bitbucket.org recovery_codes

For those of you on this thread that then complained about security and your situations of lost keys and phones (2FA devices) I can only offer suggestion that you consider the old phrase of "security is only as strong as the weakest link".

Now of course for some of you reading my previous comment that I chant from inside my "Smug Both" you might just have burst a blood vessel and thumped your keyboard. For those folk I say, "I feel your pain, but all your pain is caused by your own doing" (or lack of doing). 9 time out of 10 folk only care about backups/fail-over/disaster recovery when they have been hacked/experienced a hardware failure and lost critical data. Nothing and I'll repeat again NOTHING in this world is 100% bullet proof, systems fail so you MUST have fall backs/recovery plans/backups at whatever level you you work with Tech. If you think something could fail it won't be "if" it will be "when". 

My final thought for you folk is "fail to prepare then prepare to fail" 

View More Comments
Erica K
Erica K September 14, 2020

Some of us do. I have not lost a 2FA account here and I backup all the ones I have, but this is still a ridiculous policy for an enterprise service, which I have never seen elsewhere. For a free service, yes, it would be expected. I am really wondering if I should keep paying for this, since I don't use the Bitbucket cloud.

I'll leave those who lost data to comment on your message.

Like mikey kennethRasch likes this
Reply
0 votes
Dejan Nenov
Dejan Nenov July 6, 2020

This is not acceptable - for the simple reason that codes and ssh keys CAN be lost.

In my case in the same month I replaced phone (where the Auth app was) and laptop (where the codes were in a password protected file) - and lost both.

I suppose Atlassian designed MFA/SSO management with the expectation that we would write codes down on a post it and stick it inside a drawer .... :)

I thought the @mention issue that has not been addressed for 5+ years now was as bad as a security architecture SNAFU could get - but this one takes the cake!

Reply
0 votes
john1440
john1440 March 9, 2020

I never use 2FA because it's too dangerous, too susceptible to mishaps, hardware failures, etc. The lack of recoverability makes it unsuitable for the most important accounts.

Oh, the irony!

Reply
0 votes
Adedeji Adewumi
Adedeji Adewumi January 30, 2020

Hi, I am locked out of my Company Bitbucket Cloud account though I can still can Commit and Clone Repository using local server.

  1. No Authenticator apps/No 2FA Mobile
  2. Recovery Codes. - I have recovery codes but will not work.
  3. SSH Recovery. - I have my Private/Public keys.   

How can I retrieve my account back?

View More Comments
sambasivarao byrapuneni
sambasivarao byrapuneni May 8, 2020

Adedji,

I have same issue and could not access my repos. How did you resolve this ?

Thanks

Samba

Like
tatianalopez
tatianalopez September 20, 2021

Hello Sambasivarao, 

 

Did you manage a way to access it?

 

Thanks,
Tatiana

Like
Reply
0 votes
A.S.
A.S. September 28, 2019

This is so messed up, I just cannot believe it is real - how many corporate bodies trust Atlassian with their sensitive data with all their products .. Trello, Jira, Confluence to name a few and all these share the same 2FA nonsense.

 

I am probably not awake. Pinch me anyone, please!!!

Reply
Reply
0 votes
A.S.
A.S. September 28, 2019

Hello and welcome to the Atlassian hidden club!!!

 

So I have changed country, lost old phone's sim card, reinstalled OS, and guess what - my 2FA codes were not accepted?

 

Best part? Atlassian representative has offered to delete my account so that I could create a new one afresh!!! How cute!!!

 

I was blamed for "accidentially" creating new 2FA codes! Eh? Oh wait, that makes sense!

 

E.g. they should give a WARNING WARNING WARNING that whenever you enable 2FA on your account, ALL DATA WILL BE LOST. PROCEED ON YOUR OWN RISK.

 

Fabulous service!

 

Would you recommend it to friends and business acquaintances?

 

up2u, right?

 

Thank you, Atlassian, for saving 5 years of my work on your highly reliable cloud!!! [...which I can no longer access...]

Reply
0 votes
Rose Manda
Rose Manda October 18, 2018

Hi Ana,

I have my authenticator App, which sends me recovery codes. The first step of verification code is always working fine, for logging into JIRA and Confluence. When I entered the second verification, it says 'Invalid Verification code'. 

I tried using emergency recovery code on step-1, but still takes me to step-2 verification. This is annoying, cause emergency recovery code is to unblock when I cannot use Authenticator App / Verification Code.

Could you pls help ? 

View More Comments
lvcasx1
lvcasx1 September 2, 2019

Getting the same error as you

Like
Reply
0 votes
Ike Hull
Ike Hull May 1, 2018

fyi, Atlassian got me a way to reset mfa, through the site admin .... I still think the UI/UX is awkward but as long as there is a way to reset it, I am in a better mode :)

View More Comments
mnarangwib
mnarangwib May 18, 2018

hi Ike, can you point out how you were able to do it ? i have also lost access to my keys and would like to reset it.

Like
Ana Retamal
Ana Retamal
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 5, 2018

Hello there! To follow up on @Ike Hull's response, he's referring to the 'Organizations' functionality that was recently introduced for Jira and Confluence. Organizations provide a centralized way to manage your domains, products and users, it also allows you to subscribe to Identity Manager to apply security policies over all your managed accounts.

Bitbucket is excluded from this as Bitbucket accounts are not centrally managed as Jira and Confluence are, in Bitbucket every user is the admin of their own account.

Hope this clarifies!

Best regards,

Ana

Like
Reply
0 votes
Erica K
Erica K February 1, 2018

This is crazy. If AWS and other vendors of paid service can help people -- even with slow methods like postal mail -- Atlassian should also. This makes 2FA too risky to use here.

View More Comments
Ana Retamal
Ana Retamal
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 2, 2018

Hi Erika, I've never heard of postal mail being an option. As is the standard, we provide 3 ways of obtaining a code:

  1. Authenticator apps.
  2. Recovery Codes.
  3. SSH Recovery.

These options are widely used across different companies (Github and Google for example) and its advantages and risks are listed in many articles, like Don't get locked out when using 2FA.

There is no other way to obtain a code outside of these options. When you enable 2FA, you are committing to making that account accessible only to a user that is able to obtain a 2FA code. For more information you can see Retrieve recovery codes through SSH.

Please let us know if you have any other questions.

Regards,

Ana

Like
Erica K
Erica K February 2, 2018

Google and GitHub are free -- that's the level of service I would expect. Bitbucket is supposed to be enterprise level.

Amazon Web Services offers 2FA, along with a way to recover the codes (if needed) by demonstrating ownership of the account phone and address. You should be measuring yourself against other business services.

Like
Ana Retamal
Ana Retamal
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 5, 2018

Hi @Erica K, Google and GitHub are free as long as you don't get the paid option, same as for Bitbucket. Bitbucket is a product for all kind of users, from college students to big companies. You can have a free Bitbucket account with up to 5 users. 

Let us know if you have any other questions,

Ana

Like
Erica K
Erica K February 5, 2018

I'm aware of that and I wasnt asking a question. My point remains, your paid plan (which we use) should support enterprise features.

Like
Ike Hull
Ike Hull April 30, 2018

I have an account in our jira that we can not recover the access codes for  .... we even tried deleting the entire account and re-adding it new ... because it would be ridiculous to make the user get a new email address ... BUT so far that is the only option on the table.

NO BODY does MFA recovery this way ... ALL my other applications ... like O365, Pivotal, Saleforce, Zuora ..... ALL of them have a mechanism to reset credentials including the MFA credentials ... even if it requires administrative rights.

Like # people like this
Ike Hull
Ike Hull April 30, 2018

This is not even an enterprise feature  ... it is a basic feature.  It is ridiculous to make a user get a new email address because they did not write down their "recovery codes" ... most users will not write those down because none of their other SaaS applications truly require it.  When an invite goes out, I am not standing over their shoulder to remind them that the "recovery code"  is mission critical and that they literally have no option for getting back in the system with out it.   Of course we could get them a new corporate email each time this happens .... such a bad path!

Like # people like this
Reply
0 votes
draganklvi9
draganklvi9 January 16, 2018

Hello, I have a same problem. I used company email for an account and activated 2fa. 

1. I stored recovery keys to my company computer.

2. I used browser authenticaticator

3. My machine ssh keys were added 

We recently had an cyber attack and my machine was completely wiped out.

So, please, is there any way for me to prove my identity (I have part of the ssh key you've sent me via email) and to recreate my account? It's my company email so I would like to use this one.

Dragan

View More Comments
Ana Retamal
Ana Retamal
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 17, 2018

Hi @draganklvi9! Do you have a verification app installed on your mobile device? If you do, you'll still be able to log in to your account, disable 2FA, generate a new SSH key and enable 2FA again. This is explained in the article Two step verification.

What do you mean you have part of the SSH key we sent you via email? The SSH key should be generated by yourself following the steps at Creating SSH keys.

If you don't have the authentication app and don't have the SSH key on your machine, we won't be able to prove your identity, thus the account can not be recovered.

Let us know!

Ana

Like
draganklvi9
draganklvi9 January 17, 2018

Hi @Ana Retamal,

Thanks for you reply. No, I've lost all 3 recovery options, I eventually contacted support and my account was erased. I meant part of the my ssh key I received on email when I added to my profile, but it's okay now.

 

BR,

Dragan

Like
Ana Retamal
Ana Retamal
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 18, 2018

Hi Dragan, thanks for the update!

Best regards,

Ana

Like
Reply
0 votes
Ana Retamal
Ana Retamal
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 29, 2017

Hi Sam! Did you save the recovery codes we provided you when you first set up 2FA in your account? If you have them, you can use them to gain access to your account again.

However, if you don't have access to the device you use to authenticate, nor saved the recovery codes, nor have the SSH that you used with Bitbucket, I'm afraid you've exhausted all the possible options to recover access. There is no other way to obtain a code outside of these options. 

We don't have the ability to disable two-step verification for any Bitbucket user account. When you enable 2FA, you are committing to making that account accessible only to a user that is able to obtain a 2FA code. I'd recommend you restore your repos from the local data to a new Bitbucket account, or get copies from other users that may have worked on the repositories.

Let me know if you have any questions, Sam.

Kind regards,

Ana

 

View More Comments
jeromemiranda
jeromemiranda July 18, 2017

Same issue here.

 

  • No SSH keys
  • No 2FA mobile
  • No Recovery codes

 

I know we accept the terms when we enabled the 2FA but I hope I can still recover my account. I still know the email address and password. All I need is a code to enter.

 

Also, I think is unusual to only depend on 2FA without having other options like a text message, email resetting, etc.

 

I really need to recover my account since all my projects are there. I hope you can help us.

Like
Ana Retamal
Ana Retamal
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 21, 2017

Hi Jerome, I'm sorry to hear you've lost all your access options. However, as I mentioned before, an account with 2FA enabled can only be accessed by a user that provides a 2FA code.

Also, I'm not sure what you mean by "I think is unusual to only depend on 2FA without having other options like a text message, email resetting, etc" As is the standard, we provide 3 ways of obtaining a code:

  1. Authenticator apps.
  2. Recovery Codes.
  3. SSH Recovery.

There is no other way to obtain a code outside of these options. You can still restore your repos from the local data to a new Bitbucket account, or get copies from other users that may have worked on the repositories.  

Regards,

Ana

Like
Jerome Miranda
Jerome Miranda July 21, 2017

Hi Ana,

 

Thanks for the response.

 

Actually my account was deleted now.

 

Text message and email code are just my suggestions for at least last sort in recovering account.

 

Like
phanhongan
phanhongan June 4, 2018

I got the same issue. I lost all the devices with 2FA & recovery codes. How can I register a new account without creating a new email?

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events