Heads up: forced 2FA coming to an Atlassian Marketplace near you!

remie · July 21, 2023, 7:08am

In case you missed it: starting in September, Atlassian will be enforcing 2FA using an emailed OTP for access to the Atlassian Marketplace

It is currently unclear from the article and the lack of announcement whether or not this also applies to those using 3rd party identity providers (like Google, Apple, etc). It could be that you will be forced to do 2FA twice: once from your 3rd party identity provider (using an actual proper implementation that also supports authenticator apps & hardware keys) and the emailed OTP from Atlassian.

Thanks @marc for noticing this!

scottohara · July 21, 2023, 8:04am

I must admit I’m a little confused.

I already have 2SV configured for my Atlassian ID that I use to log into the Marketplace vendor portal to manage our apps and upload new versions.

This existing 2SV uses an Authenticator app (in my case, Authy) to generate the 6-digit code.

Does this mean that in September I can no longer use that, and instead use a emailed OTP? That seems less secure to me. The post seems to suggest that they couldn’t get Authenticator apps to work…yet it already is for me?

Also, it’s 2023 and a shame that they couldn’t use this opportunity to adopt more modern approaches (passkeys), that both reinforce the 2nd factor with anti-phishing solutions.

I feel like this is a retrograde step (if I’ve understood correctly, which I possibly haven’t)

remie · September 20, 2023, 8:57am

Not sure who to add here, so just tagging random people…
@MalathiVangalapati @RituDagar @ibuchanan @tpettersen

Anyway, the new 2FA for Marketplace vendor section has been implemented and as expected it’s a real PITA. Not only is the chosen method (email OTP) annoying (especially considering the fact that we login with our Google account which also has 2FA), it is even more annoying because we are required to do the 2FA dance multiple times a day.

Like many changes Atlassian makes: what issue are you trying to solve? And why are you using another proprietary siloed solution? Atlassian ID already provides us with the ability to have secure login. Why is it mandatory? Why is it also applicable to those who log in with 3rd party authentication providers?

Make it make sense!

LeslieGilbertAppfire · September 26, 2023, 10:22pm

it’s really freakin’ annoying. I have multiple windows open to generate promo codes because usually I need to generate multiple ones at the same time and the darn thing is so slow this is the best way to improve speed and now I need to double SFA for every page that is open. I am not a fan.

Yamuna · October 6, 2023, 5:46am

Hello Remi and Leslie,

Thank you for taking the time to share your feedback regarding the recent implementation of the 2SV (Two-Step Verification) feature for Marketplace partners. We recognize that this adjustment may have caused some inconvenience and would like to offer some insight into the reasoning behind it.

This project was initiated as part of the security compliance led by the Atlassian Security Team. It is a mandatory security enhancement that needed to be implemented for Marketplace across all partners.

Here are the factors that have been considered -

We are unable to determine the secure login policy for partner using 3rd party Authenticators, as we don’t have a way to know what login policy (MFA or not) the user has configured with 3rd party identity providers. Hoence, we could not base the security of partner data/actions on that.
Upon investigation, we have determined that it is best for Marketplace to drive consistency in uniformly enforcing 2SV authentication for all partners, regardless of their chosen mode of login. This should not be left to partners to enable or disable, as it could lead to safety concerns down the lane.

We appreciate your patience and understanding as we work to enhance our platform to improve partner data security. Your feedback is valuable, and we will continue to take it into account as we refine and improve our systems.

Regards,
Atlassian Marketplace team.

dmitry.astapkovich · October 6, 2023, 6:34am

Correct me if I’m wrong: Atlassian doesn’t trust Google Authorization for partners but it’s completely fine to have it for the users (admins, instance owners, etc.)?

yvesriel · October 9, 2023, 1:54pm

@Yamuna ,

You should look into the 2FA process when using an iPad on Safari. Sometimes, it sends dozens of email and it’s impossible to log in. Some other times, you absolutely need to clear the cookies to get it to work properly.

Many vendors have reported this behavior.

Thanks,

remie · October 9, 2023, 2:09pm

Hi @Yamuna,

I’ve been contemplating on how to respond to this. Let me start by saying that I appreciate that you are providing some background information with regard to how Atlassian came to this decision.

Yet, despite this, the decision still puzzles me. I know I will probably not convince Atlassian to change course, but I’m just really baffled by the reasoning behind these changes and I hope at least it will help Atlassian take a step back and look outside her own bubble.

Using email for OTP

One of the reasons you list is

We are unable to determine the secure login policy for partner using 3rd party Authenticators, as we don’t have a way to know what login policy (MFA or not) the user has configured with 3rd party identity providers. Hoence, we could not base the security of partner data/actions on that.

I get that this sounds like a reasonable argument, but I just can’t wrap my head around the fact that, after having said this, just went ahead and sent the OTP to the email address associated with the same account.

Marking the 3rd party auth provider as potentially insecure, automatically renders any interaction with that service insecure as well. I can now use that same non-2FA 3rd party auth account to retrieve the Atlassian Marketplace OTP.

You do not tell us why 2fa is mandatory

The driving force behind this whole ordeal seems to be this sentence:

It is a mandatory security enhancement that needed to be implemented for Marketplace across all partners.

This is a premise that is being taken as fact, but you are not giving any details as to why this is mandatory. Can Atlassian please share with us the compliance framework that mandates this security measure?

I think this is very important, because Atlassian seems to go further than any other payment service provider by mandating 2FA.

Within the context of this specific discussion, please note that Atlassian does not enforce 2FA for customer instances. I can log into my Jira/Confluence sites without any requirement to use 2FA. What is so specific to the Atlassian Marketplace that 2FA is mandated? Where does this requirement come from?

Without proper understanding of the requirements, it is hard for vendors to understand why we are jumping to a (seemingly random) hoop.