• Products
  • Documentation
  • Resources

Enforce two-step verification

If you recently noticed a change in your authentication settings
Beginning the week of March 15th, we started migrating two-step verification and other settings to your new authentication policies. Learn about what's changed

Who can do this?
Role: Organization admin
Plan: Atlassian Access

About two-step verification

Two-step verification adds a second login step to your managed users’ Atlassian accounts by requiring them to enter a 6-digit code in addition to their password when they log in. The second step keeps their account secure even if the password is compromised.

Each user enables two-step verification for their Atlassian account. They can install a login verification app (such as Google AuthenticatorAuthy, or Duo) on their phone or choose to get the 6-digit code via text. When users log in, they check the login verification app, or text, for a 6-digit code that they enter at the second step. Read about how users enable two-step verification.

When you enforce two-step verification, you require your users to enable two-step verification on their accounts – they won't be able to log in to your Atlassian Cloud products until they do so.

As an organization admin, you need to verify one or more domains before you can enforce two-step verification on your user's Atlassian accounts. Learn how to verify a domain for your organization

Any user can enable two-step verification for their Atlassian account at no cost. However, as an organization admin, if you'd like to require all your users to enable two-step verification, you'll need an Atlassian Access subscription

Enforce two-step verification

When you enforce two-step verification, your managed users won't be able to log in to your Atlassian cloud products until they enable two-step verification on their accounts.

  • You should enable two-step verification for your own account first before enforcing it for all users.

  • If you enforce two-step verification, scripts and services that currently authenticate with your Atlassian cloud products will need to use an API token.

  • You can only enforce two-step verification on user accounts from your verified domains. Users that are either self-managed or managed by another domain, and haven’t enabled two-step verification, can still log in without using two-step verification.

Two-step verification in authentication policies

You can find two step-verification in Authentication policies. Authentication policies give you the flexibility to configure multiple security levels for different user sets within your organization. Authentication policies also reduce risk by giving you the ability to test different single sign-on configurations for subsets of users before rolling them out to your whole company. Learn more about Authentication policies

To require two-step verification from an authentication policy:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. Select Security > Authentication policies.

  3. Select Edit for the policy you want to modify.

  4. On the Settings page, select Require.

If you enforce single sign-on, you set up two-step verification in your identity provider (Google, Azure, Okta, etc.) and not in your authentication policy. Learn more about enforcing single sign-on in authentication policies 

Two-step verification for end-users

After you require two-step verification, we don’t log users out of their current sessions, and we don’t send emails reminding users to set up two-step verification.

The next time existing users log in, we'll prompt them to set up two-step verification. 

Two-step verification user prompt

Make two-step verification optional for users

When you make two-step verification optional for users, they can continue to log in with two-step verification or can choose to stop using it.

To make two-step verification optional:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. Select Security > Authentication policies.

  3. Select Edit for the policy you want to make two-step optional.

  4. On the Settings page, select Optional.

Find the accounts without two-step verification enabled

You can see a list of all accounts from your verified domains that don't yet have two-step verification enabled:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. Select Directory > Managed accounts.

  3. Select All accounts dropdown.

  4. Under Two-step verification, select Not enabled.

We’ll provide a list of Atlassian accounts that are managed in your organization without two-step verification enabled. 

Troubleshoot two-step verification with authentication policies

There are situations when a member of an authentication policy can’t log in with two-step verification.

  • They've lost their phone and so won't be able to log in.

  • They don’t have a phone capable of downloading a login verification app.

If the member has set up two-step verification:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. Select Security > Authentication policies.

  3. Move member to a policy where two-step verification is optional.

  4. Select Directory > Managed accounts> Show details to open the member’s page.

  5. Select Reset two-step verification so the member can reset two-step verification and log in.

  6. Move the member back to the previous policy.

If the member hasn’t set up two-step verification:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. Select Security > Authentication policies.

  3. If two-step is required for the member, move them to a policy where two-step is optional.

  4. The member can now log in with only a password.

Use REST API tokens

If you enforce two-step verification, scripts and services won't be able to use a password for basic authentication against a REST API. We recommend that you use an API token instead, although an organization admin could exclude the relevant account from two-step verification, as described above. Read more about API tokens

 

Additional Help