Hi @Yamuna,
I’ve been contemplating on how to respond to this. Let me start by saying that I appreciate that you are providing some background information with regard to how Atlassian came to this decision.
Yet, despite this, the decision still puzzles me. I know I will probably not convince Atlassian to change course, but I’m just really baffled by the reasoning behind these changes and I hope at least it will help Atlassian take a step back and look outside her own bubble.
Using email for OTP
One of the reasons you list is
- We are unable to determine the secure login policy for partner using 3rd party Authenticators, as we don’t have a way to know what login policy (MFA or not) the user has configured with 3rd party identity providers. Hoence, we could not base the security of partner data/actions on that.
I get that this sounds like a reasonable argument, but I just can’t wrap my head around the fact that, after having said this, just went ahead and sent the OTP to the email address associated with the same account.
Marking the 3rd party auth provider as potentially insecure, automatically renders any interaction with that service insecure as well. I can now use that same non-2FA 3rd party auth account to retrieve the Atlassian Marketplace OTP.
You do not tell us why 2fa is mandatory
The driving force behind this whole ordeal seems to be this sentence:
It is a mandatory security enhancement that needed to be implemented for Marketplace across all partners.
This is a premise that is being taken as fact, but you are not giving any details as to why this is mandatory. Can Atlassian please share with us the compliance framework that mandates this security measure?
I think this is very important, because Atlassian seems to go further than any other payment service provider by mandating 2FA.
Within the context of this specific discussion, please note that Atlassian does not enforce 2FA for customer instances. I can log into my Jira/Confluence sites without any requirement to use 2FA. What is so specific to the Atlassian Marketplace that 2FA is mandated? Where does this requirement come from?
Without proper understanding of the requirements, it is hard for vendors to understand why we are jumping to a (seemingly random) hoop.