Enforce secure 2FA for users


Hello, I would like to achieve for the login procedure to always enforce 2FA.

Right now we are exploring the possibilities of working in Cloud9. We have set up a small team of some users and started to collaboratively work on some projects. So far, it is very nice.

The issue for us now is that we would like to use 2FA for all our cloud resources, including C9. I found the following in the help topics:

Currently 2FA is not supported by cloud9, but there is a work-around:
Cloud9 doesn’t directly support two-factor authentication. To work around this, you may sign into Cloud9 with your GitHub account and set that up GitHub Two-Factor Authentication Instructions. Once this is setup, you can set your Cloud9 password to be a very long, complex string of characters so it is nearly impossible to crack. From then on, you’ll sign in with Github, effectively enabling two-factor authentication.

It may be nearly impossible to crack, but we try to stick with a policy to only use 2FA for any Cloud Software that has our clients data/code.

What I want to achieve is that I can disable username/password login and enforce BitBucket’s 2FA login. Since our source code repositories are in BitBucket, which supports 2FA, I would like this to be the only possible way of getting into C9 by disallowing the username/password login.

Could you please consider this option some time in the future?

Best, René


Also supporting MFA devices like: yubikey would be a big hit!

More and more users are using Chromebooks (I moved to Chromebook a week ago) and the security is a pretty important thing to consider. I’m using my yubikey (hardware key) to login to google/github and so on, so I’d be very happy to see it supported here too.


I think this would be a great feature.


+1 for this

Even just an OTP system I can attach to Google Authenticator would be better than plain password auth.



As a new C9 user, it looks like the best online IDE available, but really needs 2FA to keep our data safe. Was really surprised it hasn’t been implemented considering what’s at stake from a developer’s/business’ perspective.