Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Bitbucket Introduces Required Two-Factor Authentication and IP Whitelisting

Bitbucket Introduces Required Two-Factor Authentication and IP Whitelisting

Leia em Português

This item in japanese

Atlassian has announced two new features aimed to make Bitbucket more secure: IP whitelisting and required two-factor verification.

IP whitelisting will allow organizations to restrict the IP address from which a user can view, push, or clone a Bitbucket repository. According to Atlassian, Bitbucket is the first of the leading Git repository management tools to use IP whitelisting to ensure that data is safe even if an account’s password is compromised. Specifically, Atlassian believe that IP whitelisting will make it possible for customers who have preferred using on-premises version control system to have more control on user access, to safely migrate to their data to the cloud. In particular, Atlassian hopes IP whitelisting will allow organizations more sensitive to privacy issues, such as in the financial or health care industry, to enforce advanced security policies, including:

  • Making sure only devices with sufficient security controls are allowed to accesses the data
  • Effectively preventing users from working from home when such a policy is required

Two-factor authentication was introduced in Bitbucket in 2015 as an optional feature which can either leverage a mobile device to handle the second confirmation or a security key device such as the YubiKey. While two-factor authentication can drastically limit the occurrences of identity theft, being optional reduces its effectiveness. Now account administrators can make two-factor authentication mandatory for whole teams. If a user tries to access their account without having enabled two-factor authentication, they will be denied access and shown instructions on how to enable it.

In conversation with InfoQ, Bitbucket Product Leader Rahul Chhabria explained the importance for BitBucket to provide enterprise-grade security features:
Hosting code in the cloud is the standard with many small businesses and catching fire with larger teams. As more professional teams embrace Git and the cloud, they will require advanced security and compliance features to ensure that their private code doesn't get into the wrong hands.
Chhabria also hightlighted a number of security features that were added to in the last year, including 2FA, U2F, support of ECDSA and ed25519 users keys to SSH, and others.

Both IP whitelisting and mandatory two-step authentication are only available with Bitbucket’s Premium plan, which will cost $5/user/month. Two-step authentication remains available, though, as a free feature to all users who want to enable it.

Rate this Article