• Documentation

We’re renaming ‘products’ to ‘apps’

Atlassian 'products’ are now ‘apps’. You may see both terms used across our documentation as we roll out this terminology change. Here’s why we’re making this change

Enforce two-step verification

When you enforce two-step verification on users, you require them to enter a one-time passcode in addition to their password when they log in to Atlassian. This second step keeps their account secure if their password is compromised.

After you enforce two-step verification, we don’t log users out of their current sessions and we don’t email them to set up two-step verification. Instead, we prompt users to enable two-step verification for their Atlassian account the next time they log in. They can install an authentication app (such as Google AuthenticatorAuthy, or Duo) on their phone or receive a one-time passcode by text (SMS) message. They will use this one-time passcode to log in to Atlassian apps.

As an admin, you should enable two-step verification for your own account before you enforce it for all users. Manage two-step verification for your Atlassian account

Who can do this?
Role: Organization admin
Atlassian Cloud: All plans
Atlassian Government Cloud: Not available

Enforce two-step verification for managed accounts

You enforce two-step verification on your organization’s managed accounts through an authentication policy. You can set up multiple authentication policies to set different security levels for different subsets of users in your organization.

To enforce two-step verification for managed accounts:

  1. Go to Atlassian Administration. Select your organization if you have more than one.

  2. Select Security > Authentication policies.

  3. Select Edit for the relevant policy.

  4. In the Settings tab, select Mandatory for two-step verification.

SAML single sign-on

If you enforce single sign-on in your organization, you set up two-step verification in your identity provider, instead of through an authentication policy.

Enforce two-step verification for external users

You can require external users to verify their identity with a one-time passcode through your external user policy.

To require a one-time passcode for external users:

  1. Go to Atlassian Administration. Select your organization if you have more than one.

  2. Select Security > External users.

  3. Select External user policy.

  4. For Authorization method, select One-time passcode.

  5. Select Update.

Make two-step verification optional

You can make two-step verification optional for some users, so they can choose to stop using it.

To make two-step verification optional for some managed accounts:

  1. Go to Atlassian Administration. Select your organization if you have more than one.

  2. Select Security > Authentication policies.

  3. Select Edit for the policy that contains the managed accounts for whom two-step verification should be optional.

  4. In the Settings tab, select Optional for two-step verification.

To make two-step verification optional for external users:

  1. Go to Atlassian Administration. Select your organization if you have more than one.

  2. Select Security > External users.

  3. Select External user policy.

  4. For Authorization method, select None.

  5. Select Update.

You can only make two-step verification optional for all your external users or none of them. You can’t make it optional for some external users only.

Find managed accounts without two-step verification enabled

To find your managed accounts who don’t have two-step verification enabled:

  1. Go to Atlassian Administration. Select your organization if you have more than one.

  2. Select Directory > Managed accounts.

  3. Select All accounts filter.

  4. Under Two-step verification, select Not enabled.

Troubleshoot two-step verification for managed accounts

A member of an authentication policy might not be able to log in with two-step verification if:

  • they’ve lost their phone

  • they don’t have a phone to download an authentication app or receive text messages

If the account has set up two-step verification:

  1. Go to Atlassian Administration. Select your organization if you have more than one.

  2. Select Security > Authentication policies.

  3. Move the account to a policy where two-step verification is optional.

  4. Navigate to the account’s profile in Directory > Managed accounts.

  5. Select Reset two-step verification so the member can reset two-step verification and log in.

  6. Move the account back to their original policy.

If the account hasn’t set up two-step verification:

  1. Go to Atlassian Administration. Select your organization if you have more than one.

  2. Select Security > Authentication policies.

  3. If two-step is required for the account, move them to a policy where two-step verification is optional. They can now log in with only a password.

  4. Move the account back to their original policy to require two-step verification.

Use REST API tokens for scripts and services

If you enforce two-step verification, scripts and services won't be able to use a password for basic authentication against a REST API. We recommend that you use an API token instead. An organization admin can also exclude an account from two-step verification, as described above. Read more about API tokens

Still need help?

The Atlassian Community is here for you.
Ask the Community
On this pageEnforce two-step verification for managed accountsEnforce two-step verification for external usersMake two-step verification optionalFind managed accounts without two-step verification enabledTroubleshoot two-step verification for managed accountsUse REST API tokens for scripts and services
CommunityQuestions, discussions, and articles