Atlassian has released Universal 2nd Factor (U2F) authentication for Bitbucket Cloud according to a blog by TJ Kells. This is based on the Fast Identity Online (FIDO) Alliance U2F standard. It uses a range of devices to enable 2FA (2 Factor Authentication) without requiring the installation of drivers or software.
The announcement is a response to the recent publication of some Bitbucket user credentials. The Atlassian security advisor states that the data did not come from them. The implication being that an unnamed third-party was to blame. Nonetheless, this is a smart move by Atlassian. Rather than simply force users to change passwords they’ve upped their game. In doing so they’ve put users first rather than focus on the simplest and easiest solution to the problem.
How does it work?
The user associates a U2F device to their account. When they next log in to their account it sends a query to the U2F device. The user simply presses a button on the U2F device and they are authenticated into their account. It sounds simple and is really is that simple.
The device chosen by Atlassian is the Yubico Yubikey. Next week Atlassian will post the details of a page where users can buy Yubikey devices, at a discount, for their Bitbucket developers.
“We applaud Atlassian for their support for the FIDO U2F protocol, by introducing this forward thinking strong public key cryptography two-factor authentication option to their user base,” said Jerrod Chong, VP Solutions Engineering, Yubico.
Getting authentication in front of developers
Adding better authentication to a website might not seem a big deal but it is. This is a site for developers and this move by Atlassian is cleverer than you might think. On one level it provides asset security for developers. At another level it opens up the possibility for them so that they can incorporate security easily into their own code.
At present, we don’t know if Atlassian and Yubico will make the Yubico APIs available on Butbucket. It would certainly make a lot of sense if they did. Developers would then be able to integrate support for U2F into their applications. This means that apps are deployed with a secure option, a far better alternative than something bolted on by IT security teams.
Developers are often derided for not doing Secure by Design. While this isn’t a perfect solution it does have the benefit of making developers work securely. As such it improves protection for the Intellectual Property they are creating. It should also give them the opportunity to see how easy it can be to write more secure apps.