MFA Follow Up Tracking

Initial info from cybersecurity/Derek Simmel: 1/30/2024

During today's cybersecurity group meeting, I was reminded that TFA/MFA options for Jira/Confluence were explored by team members between December 2022 and March 2023, and that the conclusion of those looking into it at the time was that there was no good way to enforce it by configuring the service or requiring a specific login method. Doing so with Google accounts costs money per month per account, and that would likely be prohibitively expensive for ~300 ACCESS staff. We'll check to see if things have changed, but we're not optimistic.

Since all Atlassian users can enable "Two-step verification" for themselves, together with an app like Google Authenticator, the approach I'd like to take for now is to:

(1) Document instructions for setting up "two-step verification" for one's own Atlassian account, managing it, and what to do it you cannot get to your TFA App or lose it.

(2) Create a new ACCESS Staff policy that requires everyone to enable "two-step verification" on their Atlassian account.

(3) If possible, periodically check logs from the service to identify whose Atlassian logins do not yet have "two-step verification" enabled to follow up and help them to do so.

 

So hold tight for now while we get the instructions and troubleshooting docs together. If you know whether or not it's possible to check authentication logs for the services, that'd be useful information - otherwise we can ask Atlassian for guidance there.


From Shannon Bradley 1/31/2024

Thank you, Derek!

Based on the documentation for Atlassian - This shows how to view and use the audit log:

https://support.atlassian.com/organization-administration/docs/track-organization-activities-from-the-audit-log/

Following those instructions -

This is the direct link I believe: https://admin.atlassian.com/o/79394jc8-47j3-1897-kk3c-15099c2b8d66/audit-log