2FA cannot be mandatory

Hi Henrik,

I think “by the end of the year” is too far away, specially for something so aggressive as this is felt.

Since it’s a Mozilla service, I’d be glad to use my (1FA) Firefox account. But if it isn’t possible, I’d happily use Google login. I’ll e-mail you about this, using “IAM: upset_user login troubleshooting” as subject. Thank you.

Hi @here_there_everywhere,

unfortunately FxA+1FA is not a supported scenario at this point. We reset your profile and you should be able to use Google auth now.

Best regards,

Thanks for resetting, but it didn’t work, as I described in the email I just sent you.

BTW, users should have an easily accessible button to make this reset when they that error I saw! Please make this happen ASAP for everyone else.

For the record: Issue is finally solved. :slight_smile:

This twitter thread by the head of threat intelligence at Google seems interesting.

1 Like

My personal issue is solved, indeed. But, just to make it clear, the issue is not solved, right?

My personal issue required two steps for solution: first, Henrik (@hmitsch) had to pull some levers to reset my profile login mechanisms or something like that; but I also had to perform some very risky and tricky operations with one hand to turn off the problematic autologin thing, as instructed by Henrik: “What you can do is clear the autologin method from localStorage, by running localStorage.removeItem(‘nlx-last-used-connection’) in the Console of your browser Developer Tools. This needs to happen while on the auth.mozilla.auth0.com domain, so best stop page loading as soon as you get to that page”.

So he did his part, I did mine, and I am clear, as I can now login using a Google account. But everyone else is still behind.

This error message [https://discourse-prod-uploads-81679984178418.s3.dualstack.us-west-2.amazonaws.com/original/3X/c/5/c52a3496936c123e4a029d821ff570e422214375.png] should also contain (1) instructions on how to work around it and (2) a button for users to self reset their profile’s login (as it is needed to achieve the workaround). And this should not wait until “the end of the year”.

(BTW, there are other people not wanting mandatory 2FA that already managed to eventually get to this forum and say it: [IMPORTANT] Changing the look of your login, Can't log in to Mozillians, etc.)

But, as for my personal issue, this topic can be closed.


Yes, the general issue isn’t solved.

Solving the root of the problem - technically preventing users from getting into this situation, or providing them an easy way to get out of it (requiring no admin intervention) - is what’ll take until the end of the year. Not because it’s not a priority, but because it’s a complicated problem with many technical, security and UX implications. It’s being actively worked on.

Better messaging to reduce the number of users who are getting into this situation is also being worked on, and will be done well before the end of the year.

Since we are still here discussing 2FA in general (see @r_TlfPuogHW2i9hdoQY1tGww 's reply above), we should always consider the risk of 2FA backfiring: if I steal your device and know your password, I have full (and stable) control over your account. I can change password recovery option, secondary e-mail, even switch 2FA to live in a second device (of my own): at the end, I can even get to “be you”.

And there’s what’s in the middle: I could simply loose access. Say I use a FIDO U2F key and loose it somewhere (or it’s in my backpack, or in my car, when they are stolen): even if the thieve doesn’t know what it is, I don’t have it with me anymore…

So adopting 2FA (of any kind, or any other security solution for this matter) always means trading one risk for another! So this cannot ever be mandatory.

I would suggest simply removing 2FA requirement whatsoever and for good.

Yes, but stealing your phone requires physical access, where just stealing (or guessing, or phishing from you) your password can be done remotely, which is much much easier to do. So while 2FA isn’t perfect security, perfect security doesn’t exist:

That’s why 2FA backup codes exist. And there’s always the last resort of manual intervention to help you recover your account.

2FA isn’t mandatory for everyone, but as has been said in this thread we need to improve messaging and flows so that those users who don’t need to enable 2FA don’t get stuck in a position where they have to.

That won’t, and cannot, happen. 2FA is far more secure than single factor authentication, and is a requirement because confidential information is accessible on discourse.


Thank you for the XKCD quote. Just perfect.

As to the reasoning in the last sentence (“2FA […] is a requirement because confidential information is accessible on discourse”), the conclusion does not follow (necessarily) from the reason given: many people have (much more) confidential information elsewhere and 2FA still isn’t mandatory (e-mail accounts, banks…).

Just because some banks and email providers don’t practice good security doesn’t mean Mozilla shouldn’t.


Just now: it took about 40 minutes + a number of attempts to login here - is it normal ?!

@BioLocator: that doesn’t sound good, could you describe what happened?

My problem is similar to

[quote=“here_there_everywhere, post:1, topic:30352”]
got the “you need 2FA” error. Then I tried Firefox login, and the same error showed.[/quote]
For Discourse Firefox login is useless. AT ALL.
After 2FA turning ON was discowered necessity to install Authy application on
my tablet. Without nearest Wi-Fi AP it turned up very interesting exercise)
But it was only first fun exercise from several others.
For unclear reason installed Authy application had produce wrong codes - it was more fun trick). Only after many unsuccessful attempts to login I guessed to reinstall Authy and go all the way again.
It’s hard to believe for me that it’s behind…
Finally I got into real paranoiac company?
Next time that quest will need to be repeated? Thank you very much…

I realise 2FA isn’t always so much fun to set up.

One way to get around it here on Discourse is by using Passwordless login, this works by entering a new email address and choosing ’Send me an email’. Note that if the email address is the same as the one you registered before, it will ask you to use Firefox Accounts with 2FA.

Hope this helps!


Same issue here. Totally agree with the OP’s views.

Hi @vlads777 and @BioLocator,

do you still have any login issues with Mozilla IAM?

Best regards,

(I guess not.)
https://www.businessinsider.com/world-population-mobile-devices-2017-9 :
Unique mobile subscribers globally passed 5 billion in Q2 2017; over two-thirds of the world’s population is connected by mobile device. Many 2FA devices are even cheaper than a mobile; there are $10 ones that don’t require network access. And some (such as fingerprints & faces) are $0. There are several that are paper-based - e.g. Grids and simple OTPs, (e.g. PPP)

More importantly, I’m convinced the benefits of pushing it far outweigh the downsides. Of course 2FA is a hassle. But generally, we’re doing our users who don’t use 2FA a favor by pushing them to act in their own longer-term self interest - well, except that as this thread makes clear, it’s actually far from mandatory. The poster who installed Authy may well be a good example of someone who’s been done a favor they may not appreciate-yet. But that sort of attitude is not really one that fits the Firefox vibe, so it’s appropriate to make the changes that folks have said are already planned.

Just my 2¢, and I did just have to set up 2FA for my mozilla account, but it was easy, as I use it elsewhere - most, if not all places I go that offer it. And I’ve recently felt the pain - been through the hassle of dealing with a lost second factor - definitely a better experience than that of discovering and dealing with that an account had been breached.

1 Like

In case this is still being watched by those making / updating auth policies, I’d like to add a data point. Some of us can’t have our phones (or a hardware token like Yubikey) with us all day because we work in a secured facility that doesn’t allow personal electronics. This isn’t uncommon! It means that we wind up needing backup codes for 2FA all the time, which probably makes it more hassle than it’s worth.

Let’s look at the design from another perspective: who decided that my Mozilla account is somehow “more secure” than GitHub, which is then (I think?) supposed to be “more secure” than Google? I would say you’ve got that exactly backwards, at least for my personal use. I go to much greater lengths to protect my Google account – which includes stored Play Store payment information, sensitive documents in Drive / Docs, my primary personal email / internet driver’s license, etc – than my Github account, though, granted, it doesn’t have permissions on important repos as some might. And I don’t think I even have a Mozilla account, but if I do, I only use it for messaging (forums, bug trackers, etc) so having it compromised would be no big deal and (hopefully) easily rectified.

Of course, I’m arguing what I treat as being “more secure” rather than what’s protected by more security measures. I’d say that’s likely a wash. As far as I can tell, all 3 account systems allow 2FA but don’t require it, allow automated recovery using at least email and maybe an associated phone number, notify users of potentially suspicious logins, etc etc. If Mozilla is going to express a preference based on the assertion that one system is “more secure”, a) document that assertion (and link to those docs whenever you make it!), b) give us your reasoning, and c) be damned sure you’re right.


Hi @Thw0rted,

thanks for reaching out. You are right that the “more secure” terminology is misleading. We have discussions going on within the IAM Project Team on how to better name these concepts. This is not well represented in our error messages at this point.

One reason why we started to call some accounts “more secure” than others is because certain Identity Providers tell us whether or not users authenticated using 2FA: Github and Firefox Accounts relay this information. Google does not.

This is not to say that Google authentication is less secure. However, we have security policies in place which require 2FA for certain interactions. That’s the main reason for choosing the “more secure” terminology.

Best regards,

1 Like