Enforced two-step verification
About two-step verification
Two-step verification adds a second login step to your managed users’ Atlassian accounts by requiring them to enter a 6-digit code in addition to their password when they log in. The second step helps keep their account secure even if the password is compromised. When account logins are secure, then your organization's products and resources are safer.
Each user enables two-step verification on their Atlassian account themselves. They can either install a verification app (such as Google Authenticator, Authy, or Duo) on their smartphone, or choose to get the 6-digit code by text (SMS) message. When they log in, they check the verification app, or a text message, for a 6-digit code that they enter at the second step. Read about how users enable two-step verification.
When you enforce two-step verification, you make it mandatory for your users to enable two-step verification on their accounts – they won't be able to log in to your Atlassian Cloud products until they do so.
As an Atlassian Cloud admin, there are a couple of things you need to have done before you can enforce two-step verification on your user's Atlassian accounts:
- Created an organization – see Organization administration.
- Verified one or more domains, to confirm you own those – see Domain verification. When you verify a domain, all the Atlassian accounts that use email addresses from the verified domain become managed by your organization.
- Subscribed to Atlassian Access.
Enforce two-step verification
When you enforce two-step verification, your managed users won't be able to log in to your Atlassian Cloud products until they enable two-step verification on their accounts.
- You should enable two-step verification for your own account first, before enforcing it for all users.
- We recommend that you don’t enforce two-step verification if your users log in through Google or with SAML single sign-on. See below for details.
- You can temporarily exclude a user from enforced two-step verification. See below for details.
- If you enforce two-step verification, scripts and services that currently authenticate with your Atlassian Cloud products will need to use an API token. See below for details.
- You can only enforce two-step verification on user accounts from your verified domains. Users with accounts that have access to your products, but which are either self-managed, or managed by another domain, and which have not had two-step verification enabled, will continue to be able to log in without using two-step verification.
To enforce two-step verification
- Choose Two-step verification.
- Click Enforce two-step verification.
What happens after I enforce two-step verification?
We'll email existing users with instructions on how to enable two-step verification. They'll have to do that when they next log in. New users will enable two-step verification as part of signup.
We’ll also email all other organization admins to let them know that you started enforcing two-step verification for the organization.
The email that existing users will see:
The prompt to enable two-step verification that users will see when they next log in:
Stop enforcing two-step verification
If you stop enforcing two-step verification, it will still remain enabled on the users' accounts where it had previously been enabled, but they can now choose to disable it. New users, however, won't be required to enable two-step verification during signup.
To stop enforcing two-step verification
- Choose Two-step verification.
- Click Stop enforcing two-step verification.
If you stop enforcing two-step verification for your organization, we'll email all other organization admins to let them know that you’ve done this. Note that if you stop enforcing two-step verification, you will still be subscribed to Atlassian Access. If you no longer wish to enforce security policies on your managed accounts, you can unsubscribe from Atlassian Access.
Two-step verification and Google or SAML SSO
Users who log in to your Atlassian Cloud products with Google or SAML single sign-on don't see Atlassian two-step verification. We recommend that you use Google's or your identity provider's equivalent instead.
Our rationale for this is that using Google or a SAML provider to log in with is choosing a non-Atlassian identity provider and we therefore believe that it's best to complete your entire login with the one provider, including using that provider's two-factor authentication (2FA) solution.
See accounts without two-step verification enabled
You can see a list of all accounts from your verified domains that don't yet have two-step verification enabled:
- Choose Managed accounts.
- Click Show users without two-step verification.
This displays all the Atlassian accounts that are managed in your organization that don't have two-step verification enabled. You can use it to see which people will be affected if you enforce two-step verification, as well as to see those who are yet to enable two-step verification after you've enforced it.
Temporarily exclude users from two-step verification
There are situations where a user will be unable to use two-step verification. For example:
- They've lost their phone, and so won't be able to log in.
- They don’t have a phone capable of downloading a verification app.
In such cases, you can temporarily exclude a user from requiring two-step verification for their account. When you exclude users from requiring two-step verification:
- Users who have two-step verification - excluding such users will disable two-step verification for the their account and allow them to log in with only a password.
- Users who have not yet enabled two-step verification - will be able to continue logging in with only a password.
To exclude a user from two-step verification
- Choose Managed accounts.
- Find the user's account, perhaps using the available filters, and click Edit account.
- Choose Options > Exclude from two-step verification.
To stop excluding users from two-step verification and enforce it on their accounts again, repeat steps 1 to 4 as outlined above and then choose Options > Enforce two-step verification.
Use REST API tokens
If you enforce two-step verification, scripts and services won't be able to use a password for basic authentication against a REST API. We recommend that you use an API token instead, although an organization admin could exclude the relevant account from two-step verification, as described above. Read more about API tokens.