Heads up: forced 2FA coming to an Atlassian Marketplace near you!

In case you missed it: starting in September, Atlassian will be enforcing 2FA using an emailed OTP for access to the Atlassian Marketplace

It is currently unclear from the article and the lack of announcement whether or not this also applies to those using 3rd party identity providers (like Google, Apple, etc). It could be that you will be forced to do 2FA twice: once from your 3rd party identity provider (using an actual proper implementation that also supports authenticator apps & hardware keys) and the emailed OTP from Atlassian.

Thanks @marc for noticing this!


I must admit I’m a little confused.

I already have 2SV configured for my Atlassian ID that I use to log into the Marketplace vendor portal to manage our apps and upload new versions.

This existing 2SV uses an Authenticator app (in my case, Authy) to generate the 6-digit code.

Does this mean that in September I can no longer use that, and instead use a emailed OTP? That seems less secure to me. The post seems to suggest that they couldn’t get Authenticator apps to work…yet it already is for me?

Also, it’s 2023 and a shame that they couldn’t use this opportunity to adopt more modern approaches (passkeys), that both reinforce the 2nd factor with anti-phishing solutions.

I feel like this is a retrograde step (if I’ve understood correctly, which I possibly haven’t)


Not sure who to add here, so just tagging random people…
@MalathiVangalapati @RituDagar @ibuchanan @tpettersen

Anyway, the new 2FA for Marketplace vendor section has been implemented and as expected it’s a real PITA. Not only is the chosen method (email OTP) annoying (especially considering the fact that we login with our Google account which also has 2FA), it is even more annoying because we are required to do the 2FA dance multiple times a day.

Like many changes Atlassian makes: what issue are you trying to solve? And why are you using another proprietary siloed solution? Atlassian ID already provides us with the ability to have secure login. Why is it mandatory? Why is it also applicable to those who log in with 3rd party authentication providers?

Make it make sense!


it’s really freakin’ annoying. I have multiple windows open to generate promo codes because usually I need to generate multiple ones at the same time and the darn thing is so slow this is the best way to improve speed and now I need to double SFA for every page that is open. I am not a fan.