Care about security? We do too. Learn what Atlassian does and what you can do too.
External user security includes these two types of policies for each organization.
External user policy
External user policy
An external user policy allows you to apply security settings to external users. The settings apply to all the external users in your Atlassian organization.
A test policy allows you to test external user security settings for a few users before you roll them out to all your external users. You can add up to 5 external users to a test policy.
After you turn the settings on, they may take a few minutes to apply to external users. When you’re ready to roll out external user security, you can turn the settings on for all your external users from the external user policy.
Learn how to set up a test policy
Review external users before you apply settings
Review the external users in your organization before you change security settings. To review external users and their details, you can export a CSV file of the external users. The export contains information about each external user in your organization.
Learn how to export users
Two-factor verification with one-time passcode
By default, we don't require external users to verify their identity with two-step verification. You need to turn settings on to require two-factor verification. When you turn settings on, all external users need to complete two factor-verification.
When external users try to access product data in your Atlassian organization, we ask them to verify their identity with a temporary one-time passcode that we email them. Learn about the one-time passcode experience for users
You can turn two-step verification on and off, but you're unable make any changes to the two-step verification setting.
By default, we don't require external users to re-enter a one-time passcode. You need to turn settings on to require verification frequency.
You can choose how often users need to verify their identity. Your options for session length The session length is between 15 minutes and 30 days. When you set the session length, it only applies to your external users. The setting doesn't apply to managed accounts or mobile sessions.
We update the verification frequency when:
An external user session expires.
You reset sessions for external users.
The external user logs out and logs back in before the session expires.
We recommend letting your external users know about the updates you make.
A session is the amount of time an external user can access products in an organization before you log them out. When you turn settings on for a policy, you’re able to reset a session for the external users in the policy. We log out all external users in about ten minutes. External users need to verify their identity the next time they access your products.
We only reset web sessions but don’t reset mobile sessions.
API token access
You’re able to control API token access to products in your organization with the API token access setting. This setting affects all external users within the organization.