2FA (Two Factor Auth / Two Step Auth) is finally available!

We are pleased to announce that 2FA (two-factor authentication or two step authentication) is available on Bitrise.io :tada:

Two-factor authentication gives another layer of security to your account, so if your password is compromised or stolen, only you can log in. With 2FA enabled, you’ll be asked to provide your 2FA authentication code, as well as your password, when you access Bitrise.io.

Let’s see how it works:

At first you have to navigate to your Account settings page and click on Security tab.

A pop-up will appear when you click on the Enable button.

Here you have to scan the displayed QR code.

You can do it with Google Authenticator app (available as Chrome Web Browser extension too), or with any other TOTP compatible app.

Install Google Authenticator - Google docs

After entering the 6-digit code which was generated by the app you will got your recovery codes.

Recovery codes are used to access your account in the event you cannot receive two-factor authentication code.
Treat your recovery codes with the same level of attention as your password. Save it to a safe place, away from curious eyes. Also important to note that these codes are single-use codes, once you signed in with a backup code that code is invalidated immediately and you can’t use it again!

At this point you can download them if you click on Download button or you can copy to clipboard then paste and save wherever you want.

Note, you can’t view your backup codes again, but you can generate new ones as far as you’re authenticated, e.g. in case you just signed in with the last backup code.

Copy button is not available on mobile, under screen size 768px and it doesn’t work with Safari <10.0, but of course you can just select+copy+paste these as any other text.

If the 2FA was activated successfully and you clicked on the Done button the popup will disappear and you will see some changes on the page.

By clicking on Disable button a warning popup will appear where you can cancel or confirm your action.

Also you can Generate new recovery codes - in this case the popup with Recovery codes will appear and you can save them. Important, when you generate new recovery/backup codes, the previously generated codes are invalidated and can’t be used for login anymore!

This action have to be confirmed in a warning popup.

If 2FA is enabled Bitrise.io will ask you to provide your 2FA authentication code during logins; if you’ve logged out, are using a new device, or your session expires.

After you entered your username and password or you signed in with your git provider, you have to enter the authentication code to verify your identity.

You can enter your recovery codes here instead of the 2FA code to access your account in the event you cannot receive two-factor authentication codes, but recovery codes are single-use codes, you can only use a specific code once! If you’re close to using your last codes please generate new ones!

Notice: If your authentication fails several times, you may wish to synchronise your phone’s clock with your mobile provider. Often, this involves checking the “Set automatically” option on your phone’s clock, rather than providing your own time zone.

Last but not least, if you enable 2FA and you lose your device as well as your backup codes, we can’t reset it for you! Please be very careful with backing up these codes!

Thank you everyone who voted on the related feature request (Two-factor authentication), it helped a lot to prioritize this long awaited feature! :wink:

As always, if you’d have any questions just let us know, and Happy Building! :rocket:

1 Like
  • Are yubikeys supported (as implemented by GitHub)?
  • Is there a way to force 2FA on organizations (as implemented by GitHub)?
1 Like

Not yet, but feel free to create a new #feature-request - we definitely plan to provide the “force” feature, but for now we want to see how 2FA is utilized, and optimize the UX.

I opened a feature request:

The UX of authentication codes is awful.

Can you be a bit more specific? :wink:

Have you used them…? U2F enables pressing a button for signing in. It’s both more secure and easier than generating random codes on a potentially insecure cellphone.

Google also has great support for them.

1 Like

Ahhh, sorry, I completely misunderstood you - I thought you meant the UX/design (of 2FA) on bitrise.io specifically is awful / that you had issues with setting up 2FA on bitrise.io.

Re U2F vs 2FA (UX) - I agree :wink:

1 Like