2FA cannot be mandatory


(James B) #21

In case this is still being watched by those making / updating auth policies, I’d like to add a data point. Some of us can’t have our phones (or a hardware token like Yubikey) with us all day because we work in a secured facility that doesn’t allow personal electronics. This isn’t uncommon! It means that we wind up needing backup codes for 2FA all the time, which probably makes it more hassle than it’s worth.

Let’s look at the design from another perspective: who decided that my Mozilla account is somehow “more secure” than GitHub, which is then (I think?) supposed to be “more secure” than Google? I would say you’ve got that exactly backwards, at least for my personal use. I go to much greater lengths to protect my Google account – which includes stored Play Store payment information, sensitive documents in Drive / Docs, my primary personal email / internet driver’s license, etc – than my Github account, though, granted, it doesn’t have permissions on important repos as some might. And I don’t think I even have a Mozilla account, but if I do, I only use it for messaging (forums, bug trackers, etc) so having it compromised would be no big deal and (hopefully) easily rectified.

Of course, I’m arguing what I treat as being “more secure” rather than what’s protected by more security measures. I’d say that’s likely a wash. As far as I can tell, all 3 account systems allow 2FA but don’t require it, allow automated recovery using at least email and maybe an associated phone number, notify users of potentially suspicious logins, etc etc. If Mozilla is going to express a preference based on the assertion that one system is “more secure”, a) document that assertion (and link to those docs whenever you make it!), b) give us your reasoning, and c) be damned sure you’re right.

(Henrik Mitsch) #22

Hi @Thw0rted,

thanks for reaching out. You are right that the “more secure” terminology is misleading. We have discussions going on within the IAM Project Team on how to better name these concepts. This is not well represented in our error messages at this point.

One reason why we started to call some accounts “more secure” than others is because certain Identity Providers tell us whether or not users authenticated using 2FA: Github and Firefox Accounts relay this information. Google does not.

This is not to say that Google authentication is less secure. However, we have security policies in place which require 2FA for certain interactions. That’s the main reason for choosing the “more secure” terminology.

Best regards,


I agree with everything @Thw0rted just said. Clapping hands over here.

On the other hand, you folks from Mozilla seem to prioritize long term discussions over implementing immediate provisional changes. I haven’t tried to go through the whole herculean registering process, but according to what @Thw0rted said it probably remains the same.