If you recently noticed a change in your authentication settings
Beginning the week of March 15th, we started migrating two-step verification and other settings to your new authentication policies. Learn about what's changed

Enforced two-step verification is available when you subscribe to Atlassian Access. Read more about how to start with Atlassian Access.

About two-step verification

Two-step verification adds a second login step to your managed users’ Atlassian accounts by requiring them to enter a 6-digit code in addition to their password when they log in. The second step keeps their account secure even if the password is compromised.

Each user enables two-step verification for their Atlassian account. They can install a login verification app (such as Google AuthenticatorAuthy, or Duo) on their phone or choose to get the 6-digit code via text. When users log in, they check the login verification app, or text, for a 6-digit code that they enter at the second step. Read about how users enable two-step verification.

When you enforce two-step verification, you require your users to enable two-step verification on their accounts – they won't be able to log in to your Atlassian Cloud products until they do so.

As an organization admin, you need to verify one or more domains before you can enforce two-step verification on your user's Atlassian accounts. Learn how to verify a domain for your organization

Any user can enable two-step verification for their Atlassian account at no cost. However, as an organization admin, if you'd like to require all your users to enable two-step verification, you'll need an Atlassian Access subscription

Enforce two-step verification

When you enforce two-step verification, your managed users won't be able to log in to your Atlassian cloud products until they enable two-step verification on their accounts.

  • You should enable two-step verification for your own account first before enforcing it for all users.

  • If you enforce two-step verification, scripts and services that currently authenticate with your Atlassian cloud products will need to use an API token.

  • You can only enforce two-step verification on user accounts from your verified domains. Users that are either self-managed or managed by another domain, and haven’t enabled two-step verification, can still log in without using two-step verification.

Two-step verification in authentication policies

You can find two step-verification in Authentication policies. Authentication policies give you the flexibility to configure multiple security levels for different user sets within your organization. Authentication policies also reduce risk by giving you the ability to test different single sign-on configurations for subsets of users before rolling them out to your whole company. Learn more about Authentication policies

To require two-step verification from an authentication policy:

  1. Navigate to Authentication policies at
  2. Select Edit for the policy you want to modify.
  3. On the Settings page, select Require.

If you enforce single sign-on, you set up two-step verification in your identity provider (Google, Azure, Okta, etc.) and not in your authentication policy. Learn more about enforcing single sign-on in authentication policies 

Two-step verification for end-users

After you require two-step verification, we don’t log users out of their current sessions, and we don’t send emails reminding users to set up two-step verification.

The next time existing users log in, we'll prompt them to set up two-step verification

Make two-step verification optional for users

When you make two-step verification optional for users, they can continue to log in with two-step verification or can choose to stop using it.

To make two-step verification optional:

  1. Navigate to Authentication policies at

  2. Select Edit for the policy you want to make two-step optional.

  3. On the Settings page, select Optional.

Find the accounts without two-step verification enabled

You can see a list of all accounts from your verified domains that don't yet have two-step verification enabled:

  1. From your organization at, select Directory > Managed accounts.

  2. Select All accounts dropdown.

  3. Under Two-step verification, select Not enabled.

We’ll provide a list of Atlassian accounts that are managed in your organization without two-step verification enabled. 

Troubleshoot two-step verification with authentication policies

There are situations when a member of an authentication policy can’t log in with two-step verification.

  • They've lost their phone and so won't be able to log in.

  • They don’t have a phone capable of downloading a login verification app.

If the member has set up two-step verification:

  1. From your organization at, select Security > Authentication policies.

  2. Move member to a policy where two-step verification is optional.

  3. Select Directory > Managed accounts> Show details to open the member’s page.

  4. Select Disable two-step verification so the member can reset two-step verification and log in.

  5. Move the member back to the previous policy.

If the member hasn’t set up two-step verification:

  1. From your organization at, select Security > Authentication policies.
  2. If two-step is required for the member, move them to a policy where two-step is optional.
  3. The member can now log in with only a password.

Use REST API tokens

If you enforce two-step verification, scripts and services won't be able to use a password for basic authentication against a REST API. We recommend that you use an API token instead, although an organization admin could exclude the relevant account from two-step verification, as described above. Read more about API tokens