Today the Identity and Access Management policies for Marketplace Partner user accounts use single sign-on, which can be impersonated by a malicious user that gains access to account details. The impersonator can provide a new version of the app to gain access to the customer data, access sensitive business reports, change the app's listing content, delete/archive an app, change the pricing, etc.
Who might be impacted:
Customers - Due to security breaches, customers' data becomes available to unauthorized users.
Marketplace partners - Partners' sensitive data is at risk of being compromised by unauthorized users. Marketplace partners lose credibility for not ensuring customer data security.
Atlassian - Atlassian Marketplace's credibility for partners and customers gets affected because of not providing the best security controls for their actions and data, respectively.
Two-step verification is an additional layer of security that helps protect your account by requiring a second form of verification in addition to your email password. With 2SV enabled, accessing sensitive data on your partner accounts will require two different factors to prove your identity, significantly reducing the risk of unauthorized access.
We explored multiple authentication options like enforcing MFA for Atlassian organization and enforcing MFA at the time of login. However, it had a few technical limitations like mandatory Atlassian Access paid subscription and other federated logins could not be included behind this. As a result, we are going ahead with step-up authentication to secure critical flows in Marketplace. Atlassian will enforce this solution for all Marketplace partner logins, satisfying our compliance requirements.
Here are the actions required from partners for successfully entering into an active 2SV session:
Certain activities, such as accessing highly sensitive data, managing app details, initiating financial transactions, or modifying critical account settings, will require additional authentication to ensure the user's identity and reduce the risk of unauthorized access.
Marketplace will redirect the user to an Identity verification screen requesting an OTP for such actions.
Pages blocked behind 2SV:
The 'Manage Vendor' and 'Manage Apps' sections will only be accessible through 2SV.
Sensitive UI APIs used in the above pages would also be protected behind 2SV, and any unauthorized access will return 401.
What is not covered with 2SV:
Session expiry time:
Any session logged in through 2SV will remain active for seven days, after which re-authentication will be required to access the content.
What are the consequences of not performing the 2SV as a Marketplace partner?
When will Two-Step Verification be live?
What is the duration of an active session once logged in through 2SV?
Is there a way for partners to terminate a session prematurely? (before the seven days session is up)
Can I extend the active session period to greater than seven days?
Can there be parallel active 2SV sessions?
On which email would I get the OTP?
Are there any other means of enabling 2SV? Through authentication apps etc.?
What are the backup systems if 2SV fails? (Scenario: Primary service fails, and partner needs to log into their account immediately)
Will my automation setup be affected by the introduction of 2SV?
Rate this page: