Universal 2nd Factor (U2F) now supported in Bitbucket Cloud

By on June 22, 2016


Last week, we released support for FIDO Universal 2nd Factor in Bitbucket Cloud. FIDO U2F is an emerging standard for two-step verification that uses a physical USB key to digitally sign a challenge from a trusted website. It’s a new authentication standard designed to enable small USB tokens, mobile phones, and other devices to act as a secure second factor for 2FA without requiring any additional overhead of installing drivers or client-side software applications.

What does this mean for you?
You may have heard about some high profile breaches and subsequent unauthorized publication of stolen user credentials in the past few weeks. Two-step verification on your Bitbucket Cloud account ensures that your data will continue to be protected even if someone else gets your password.

With U2F, instead of having to enter a TOTP (Time-based One-time Password) every time you want to log in to Bitbucket Cloud, you can simply press a button on a small USB device plugged into your computer. You are also less vulnerable to phishing attacks since security keys will only sign challenges that match the proper domain for the website.


Visit two-step verification settings to add your key. If you do not already have two-step verification enabled, you’ll need to enable it before you can use your U2F key with Bitbucket Cloud.

Special Yubikey promotion for Bitbucket users
You’ll need to purchase a security key that supports U2F in order to take advantage of this feature. We’re collaborating with Yubico, co-creator of the U2F protocol, and offering discounts for a limited time through a special offer: Bitbucket teams can purchase up to 10 keys at a 25% discount, (while supplies last). You can find more information about the offer here.

We are proud to be among the first few websites to support this standard. “We applaud Atlassian for their support for the FIDO U2F protocol, by introducing this forward thinking strong public key cryptography two-factor authentication option to their user base,” said Jerrod Chong, VP Solutions Engineering, Yubico. Earning and keeping your trust is part of our customer commitment. Learn more about 2FA and U2F.


  • Posted June 22, 2016 at 2:19 pm | Permalink

    Really glad to see FIDO U2F support, is Bitbucket Cloud the same as normal Bitbucket, or is this a new product? Thanks.

    • Alastair Wilkes
      Posted June 22, 2016 at 2:27 pm | Permalink

      Glad you like it! Bitbucket Cloud = bitbucket.org. We mention cloud to differentiate from the behind-the-firewall offering, Bitbucket Server.

  • Chris Atomix
    Posted June 22, 2016 at 6:14 pm | Permalink

    Trying to link my Yubikey without success. Steps to reproduce:
    1) Enter Device Name (“Yubikey”)
    2) Click “Add Security Key” button
    3) Message appears on page which says “Insert and press the button on your security key now.”
    4) Insert Yubikey and press button
    5) The Yubikey press opens the Import Existing Code dialog

    I tried it again by disabling keyboard shortcuts on my account, but it doesn’t do anything.
    It seems like the input field where you enter the OTP is missing/broken.

    Hopefully this is rectified ASAP. Using the latest Google Chrome on Windows 7, there are no console errors, and I’ve whitelisted Bitbucket in AdBlock Plus.

    • Alastair Wilkes
      Posted June 23, 2016 at 12:04 pm | Permalink

      Hi Chris! Sorry you’re experiencing issues setting up your key. We will take a look – thanks for including steps to reproduce.

    • Alastair Wilkes
      Posted June 23, 2016 at 12:28 pm | Permalink

      Hi Chris, is it possible that you are using a key that does not support U2F, or key that has U2F disabled? A Yubikey that doesn’t support U2F will send keyboard presses that could result in shortcut actions.

  • Anders Lindén
    Posted June 23, 2016 at 12:19 pm | Permalink

    Well when you are using your Yubikey to login you could also use it to sign your commits, the Yubikey have support for OpenPGP. And when you are using it for signing commits you could also use the key to accessing the git-server by importing your ssh public key into Bitbucket with the help of gpgkey2ssh command.