Two-Step Verification aka 2SV for Partners in Marketplace

Why do we need 2SV?

Today the Identity and Access Management policies for Marketplace Partner user accounts use single sign-on, which can be impersonated by a malicious user that gains access to account details. The impersonator can provide a new version of the app to gain access to the customer data, access sensitive business reports, change the app's listing content, delete/archive an app, change the pricing, etc.

Who might be impacted:

• Customers - Due to security breaches, customers' data becomes available to unauthorized users.

• Marketplace partners - Partners' sensitive data is at risk of being compromised by unauthorized users. Marketplace partners lose credibility for not ensuring customer data security.

• Atlassian - Atlassian Marketplace's credibility for partners and customers gets affected because of not providing the best security controls for their actions and data, respectively.

What is Two-step Verification?

Two-step verification is an additional layer of security that helps protect your account by requiring a second form of verification in addition to your email password. With 2SV enabled, accessing sensitive data on your partner accounts will require two different factors to prove your identity, significantly reducing the risk of unauthorized access.

Actions required by Partners:

We explored multiple authentication options like enforcing MFA for Atlassian organization and enforcing MFA at the time of login. However, it had a few technical limitations like mandatory Atlassian Access paid subscription and other federated logins could not be included behind this. As a result, we are going ahead with step-up authentication to secure critical flows in Marketplace. Atlassian will enforce this solution for all Marketplace partner logins, satisfying our compliance requirements.

Here are the actions required from partners for successfully entering into an active 2SV session:

1. Users can log in to their accounts as they did before, using their username and password.

2. Certain activities, such as accessing highly sensitive data, managing app details, initiating financial transactions, or modifying critical account settings, will require additional authentication to ensure the user's identity and reduce the risk of unauthorized access.

3. Marketplace will redirect the user to an Identity verification screen requesting an OTP for such actions.

5. Parallely, partners will be sent an OTP on their email addresses registered with their Atlassian Marketplace accounts, which must be entered into the verification screen.

5. On providing the right OTP, the session will be active. Partners will be directed to the initially requested content.

Specifications:

Pages blocked behind 2SV:

• The 'Manage Vendor' and 'Manage Apps' sections will only be accessible through 2SV.

• Sensitive UI APIs used in the above pages would also be protected behind 2SV, and any unauthorized access will return 401.

What is not covered with 2SV:

• Partner-facing APIs using API tokens covered in the DAC documentation page here: https://developer.atlassian.com/platform/marketplace/rest/v2/intro/ are exempt from 2SV.

Session expiry time:

Any session logged in through 2SV will remain active for seven days, after which re-authentication will be required to access the content.

Frequently Asked Questions:

1. What are the consequences of not performing the 2SV as a Marketplace partner?

   • Partners will not be able to access the sensitive content that has been requested.

2. When will Two-Step Verification be live?

   • 2SV will be live on Marketplace in September 2023.

3. What is the duration of an active session once logged in through 2SV?

   • An active session remains active for seven days until logged off.

4. Is there a way for partners to terminate a session prematurely? (before the seven days session is up)

   • Yes, partners can terminate their active session if they log out of their accounts.

5. Can I extend the active session period to greater than seven days?

   • No, the session's active period is seven days to ensure security.

6. Can there be parallel active 2SV sessions?

   • Yes, there can be parallel sessions on different browsers.

7. On which email would I get the OTP?

   • Your registered email ID with Atlassian Marketplace.

8. Are there any other means of enabling 2SV? Through authentication apps etc.?

   • No, after exploring multiple options, we have devised step-up authentication as the only feasible method for Marketplace.

9. What are the backup systems if 2SV fails? (Scenario: Primary service fails, and partner needs to log into their account immediately)

   • Planned run-book for sailing through failure scenarios in the integration phase.

10. Will my automation setup be affected by the introduction of 2SV?

    • Since none of the reporting and partner-facing APIs has been affected by 2SV, the automation setup should work as before without any issues.