Links

...

Situation

Atlassian will introduce a new 2SV feature that is based on/ coupled with the Atlassian SSO plugin.
Atlassian calls it 2-step-verification, but based on the information provided it uses 2 factors with TOTP. Users can use an authenticator app and manage their tokens in their personal Jira profile.
An early EAP with a POC implementation is scheduled for April 18.
The public release is scheduled for Jira 10.1 and Confluence 9.1 in July/August.
The Atlassian SSO plugin will be transformed from a bundled plugin to a system plugin.
The new 2SV will be the default authentication flow, but it will be possible to disable this method by setting a system property on startup.
There will be a way to configure different authentication methods in the admin section, but it is not planned to support any integrations with 3rd party applications yet.
They won’t enable 2SV if Atlassian SSO is configured, as they assume that then 2FA is done by the IdP.
The existing Seraph authentication will not be touched. The new solution will be added on top of the existing authentication implementation.
Authentication with the REST API is not affected, except for a custom Jira REST endpoint the provides a new Jira session, as this would act as a security hole.
Supporting WebSudo is not yet included, but is planned for a later release.
A follow up meeting 2-3 weeks after we receive the POC is planned. Depends on Team 24…

...