How to Set Up Two-Factor Authentication (2FA) for Jira

How to Set Up Two-Factor Authentication (2FA) for Jira

The Two-Factor Authentication (2FA) App by miniOrange adds an extra layer of security to Jira Software and Jira Service Desk. This guide will show you how to configure 2FA using your Mobile Authenticator App.

Video Setup Guide

Pre-requisites

  • Jira is installed and configured on your system.
  • Supported versions: Jira Server 8.13.0 - 10.0.1, Jira Data Center 8.13.0 - 10.0.1
  • Admin credentials for Jira.
  • A valid Jira Server or Data Center license.

Download and Installation

  • Log into your Jira instance as an admin.
  • Navigate to the Settings menu and click on Manage Apps.
  • Click on Find new apps or Find new add-ons.
  • Search for mO Two-Factor Authentication (2FA) for Jira.
  • Click Try free or Buy now to install.
  • Enter your information and click Generate license.
  • Click Apply license to complete the installation.
  • jira saml sso using adfs

1: Configuring miniOrange 2FA

    Follow these steps to configure and enable the miniOrange 2FA app for your Jira users:

  • Choose 2FA Methods: The miniOrange 2FA add-on offers users a range of 2FA methods, including OTP, KBA, TOTP, and more, for authentication. You can enable the desired 2FA methods from the provided list during plugin configuration. To enable the chosen methods for your users, you just have to select the 2FA Method option and toggle it active.

  • Setup Two Factor (2FA / MFA) Authentication for Jira using OTP, KBA, TOTP methods settings
  • Enable Backup Method: To ensure access during emergencies or when users cannot access their primary 2FA method, our app also provides you with a backup authentication method. You can choose any of the listed 2FA methods as your backup by selecting the Backup Method option and toggling it active.
  • Setup Two Factor (2FA / MFA) Authentication for Jira using OTP, KBA, TOTP methods settings
  • Select Users to Enforce 2FA: Once the required 2FA methods are enabled, select the users who will be required to use 2FA.
  • Use the Enable 2FA/MFA for All Users option to apply 2FA to all existing users and automatically enable it for newly created users.
  • Setup Two Factor (2FA / MFA) Authentication for Jira using OTP, KBA, TOTP methods settings
  • You can customize the 2FA settings based on your requirements. Enable, disable, or skip 2FA for users or groups individually, in bulk, or based on their IP addresses.
  • Setup Two Factor (2FA / MFA) Authentication for Jira using OTP, KBA, TOTP methods settings
  • Enable 2-Factor Authentication: Finally, enable 2FA for Jira Software or Jira Service Management as needed.
  • The 2FA for Admin Access feature enhances security for admin-level operations in Jira. After WebSudo password validation, admins must complete a 2FA step to ensure protection.
  • Setup Two Factor (2FA / MFA) Authentication for Jira using OTP, KBA, TOTP methods settings

2: How the user can Configure the 2FA

Authentication Methods

3: Advanced Security Features

bullet 3.1 Brute Force Configuration

    Brute Force Configuration helps restrict access to your Jira application after a specified number of invalid 2FA login attempts within a set period.
    To enable this feature:

  • Check the Enable Brute Force Protection for Jira box.
  • Set the number of invalid login attempts that will trigger a lockout.
  • Define the duration for which the user will remain locked out and unable to access Jira.

  • Brute Force Protection

bullet 3.2 Multilingual Support

  • With the Multilingual Support feature, users can choose their preferred language on all 2FA app pages, enhancing accessibility for diverse user bases. This is especially useful if your end users are from various regions and speak different languages, ensuring a smooth experience for everyone.

  • Multilingual Support
    Note: If most of your users use a single language, you can also customize templates directly from the Look & Feel Templates tab for a tailored experience.

bullet 3.3 Remember My Device

    This feature allows users to skip the 2FA check when logging in from the same device.
    To enable:

  • Check the Remember My Device box.
  • Enter the number of days for which the device will be remembered in the Expiry Time (in Days) field.
  • You also have the option to allow end users to change their respective expiry times.

  • Remember My Device

bullet 3.4 One-Time 2FA Validation

    For Atlassian Apps:

    This feature allows users to bypass 2FA in Atlassian applications after successful 2FA validation in any one of the applications.
    To enable:

  • Enable the toggle.
  • Enter the parent domain and configure the secret key.
  • Ensure the same configuration is applied across all Atlassian applications where you want this feature enabled.
  • Users will need to validate 2FA in one application, and it will be skipped in other Atlassian applications.
  • One-Time 2FA Validation

    For Crowd Authenticated apps:

    This feature lets users skip 2FA in Crowd-connected applications after a successful 2FA validation any one Atlassian application.
    To enable:

  • Toggle this feature to enable in the crowd connected applications where you want to bypass 2FA.
  • Users will need to validate 2FA in one application, and it will be skipped in other connected applications.
  • Note: This feature is only available if authentication is done via Crowd.

    One-Time 2FA Validation

bullet 3.5 Skip 2FA for SSO Users

    This feature allows users to skip 2FA if they log in via Single Sign On (SSO) with any Identity Provider (IDP).
    To enable this, admins need to:

  • Add the Single Sign-On URL for SAML.
  • Add the Callback URL for OAuth/OpenID from the SSO Provider.

  • Skip 2FA on SSO

bullet 3.6 Skip 2FA for Crowd SSO Users

    This feature allows users to skip 2FA when logging in via SSO using the miniOrange Crowd SAML add-on and Jira Crowd connector.
    To enable this, admins need to:

  • Add the Secret Key provided by the miniOrange Crowd add-on.
  • Add the Crowd SSO cookie name.

  • Skip 2FA for Crowd SSO Users

bullet 3.7 Access to Plugin Pages

    By default, only administrators have access to the plugin pages. This feature allows you to define and customise access permissions for specific user groups, granting them the ability to view and manage designated plugin pages.
    To enable this, admins need to:

  • Navigate to the Advanced Options Tab and scroll down to the Access to Plugin Pages section.
  • Next, specify the Page, Group Name, and Access Type from their respective drop down lists.
  • To add more access permissions, click on Add New Access and follow the same process.

  • Access to Plugin Pages

bullet 3.8 Group Based 2FA

    This feature gives administrators the ability to limit specific 2FA methods to certain user groups. For example, an organization might offer two login methods, such as OTP Over Email and Mobile Authenticator.
    To enable this, admins need to:

  • Navigate to the Advanced Options Tab and scroll down to the Restrict 2FA Methods Based on Groups section.
  • Click on Add New Method.
  • Specify the 2FA method along with the group for which it is to be restricted.
  • Select a Fallback Method for the group to use if they’re not configured against any method.
  • Any enabled methods not specified in this configuration will remain available to all users by default.

    Group Based 2FA

bullet 3.9 Enable 2FA on REST API Calls

    This feature allows you to restrict all REST API calls and enforce Multi-Factor Authentication (MFA) for enhanced security. When the "Restrict REST API Calls" toggle is enabled, all API requests are blocked. To enforce 2FA, you must check the box and select a preferred verification method. Once enabled, every API request will require validation of the selected 2FA method, reducing the risk of unauthorized access and protecting sensitive data.
    To enable this, admins need to:

  • Navigate to the Advanced Options Tab.
  • Scroll down to the Force 2FA on REST API calls section and enable the toggle button.
  • To enforce 2FA, check the box and select preferred verification method

  • 2FA on REST API

bullet 3.10 URL Based Redirection

    This feature allows you to configure automatic redirection after successful 2FA authentication based on your domain name and port.
    To enable this, admins need to:

  • Navigate to the Advanced Options Tab.
  • Scroll down to the Select URL type for Redirection section and enable the toggle button.
  • URL Based Redirection

4: User Management

    The miniOrange 2FA app has provisions for efficiently managing 2FA settings for individual users, multiple users, single groups, and multiple groups.
    Let's take a look at how you can manage 2FA for your users and groups.

Enabling 2FA for Single Users:

  • Search for the user by their name in the search bar.
  • Next, select the desired action from the Action column.
  • Setup Two Factor (2FA / MFA) Authentication for Jira using OTP, KBA, TOTP methods settings

Enabling 2FA for multiple Users:

  • Select the users from the list.
  • Choose the desired action from the Bulk 2FA Action drop-down menu.
  • Click Apply.
  • Setup Two Factor (2FA / MFA) Authentication for Jira using OTP, KBA, TOTP methods settings

Enabling 2FA for All Users:

  • Go to the Bulk 2FA Action drop-down menu under the All Users section.
  • Select the required action.
  • Click Apply.
  • Setup Two Factor (2FA / MFA) Authentication for Jira using OTP, KBA, TOTP methods settings

Enabling 2FA for Single Groups:

  • Search for the group by its name in the search bar.
  • Next, select the desired action from the Action column.
  • Setup Two Factor (2FA / MFA) Authentication for Jira using OTP, KBA, TOTP methods settings

Enabling 2FA for Multiple Groups:

  • Select the groups from the list.
  • Choose the desired action from the Bulk 2FA Action drop-down menu.
  • Click Apply.
  • Setup Two Factor (2FA / MFA) Authentication for Jira using OTP, KBA, TOTP methods settings

Enabling 2FA for All Groups:

  • Go to the Bulk 2FA Action drop-down menu under the All Groups section.
  • Select the required action.
  • Click Apply.
  • Setup Two Factor (2FA / MFA) Authentication for Jira using OTP, KBA, TOTP methods settings

5: IP Restrictions

    IP Whitelisting:

  • IP Whitelisting is a security feature that allows trusted users to log into Jira without 2FA. To enable IP Whitelisting, enter the trusted IP addresses in the Whitelist IP Address textbox and click Add.

  • Setup Two Factor (2FA / MFA) Authentication for Jira using OTP, KBA, TOTP methods settings

    IP Blocking:

  • IP Blocking is an access control mechanism that denies Jira access to specified IP addresses. Enter the IP addresses you want to block in the Blacklist IP Address textbox, and customize the message for blocked users in the Blocked User Message textbox. Click Save once you’re done to apply these settings.

  • Setup Two Factor (2FA / MFA) Authentication for Jira using OTP, KBA, TOTP methods settings

6: Reconfigure 2FA

  • End-users can reconfigure their 2FA by navigating to User Profile → Two-factor Plugin Authentication, and accessing the Configure Two Factor (2FA) window. Once inside, they can click on Reset to reconfigure the 2FA method. Users can also configure additional 2FA methods from this window if they haven't done so previously.
  • Setup Two Factor (2FA / MFA) Authentication for Jira using OTP, KBA, TOTP methods settings

Did this page help you?

miniOrange Atlassian Contact Us

Book a Free Consultation with
Our Experts Today!

Schedule a call now!


Contact Us