[Blog post] Two-factor authentication required for extension developers

Effective March 15, 2021, Firefox extension developers will need to have two-factor authentication (2FA) enabled on their Firefox Accounts to log into addons.mozilla.org (AMO).

If you are an extension developer and do not have enabled 2FA by this date, you will be directed to your Firefox Account settings to turn it on the next time you log into AMO.

Read more on the Add-ons Blog >>


I did it, and frankly, this is a pain.
I am quite unsatisfied about this I must say:

  • You have to install a separate application - why on earth should we do that ??
  • And you have to run it at the moment of answering, so extra steps of copy / pasting, for a security gain which seems relatively small, if any
  • When you are travelling, then you need the same application to come with you
  • So you need to register the secrets in plenty of places
  • Or you need to have it on a device always with you(e.g. a mobile)
  • But guess what happens when your mobile has no more battery, or lost it ?

Plus this is quite badly explained on the blog and on the support page:

  • A list of applications / services selected by we do not know who and in which we may not have any confidence
  • Nothing saying this is using in fact HMAC based on time = TOTP
  • So nothing allowing us to pick another choice
  • And a dependency on being on a device with 30s precise clock at the moment of response code generation, or else you can’t log in

All in all, I feel that security is really creating a problem for people it is supposed to protect, but not really for the people against whom we want to protect.

A bit of security is ok, but not too much. This is like people who put several locks on their doors = full pockets with plenty of keys that end up making a hole in the pocket, losing the keys, and cannot enter anymore so have to break the door … while robbers can go through the roof, or simply make a hole in a wall or in a window, in a few minutes, if they really want to enter.

Can’t thank anybody here for the pain this all generates
-> A unhappy user / developer.

Is there a way to regain access to my developer account without having to communicate my mobile phone number to You or a third party?
I have never used these kind of authentication systems, but given the multiple data breach events (of which only a few are discovered and brought to the attention of the folk) I do not want to communicate this type of data with anyone.
If there is a way, could you please create a fool-proof guide?
Thank you

Hi @robbi73, a number of authenticators work without needing your mobile number. LastPass is a a free, frequently recommended option. Dashlane is another option. I’ve also seen people in the community talking about using KeePassXC. Those are all good places to start.

Hi, thank you for your reply.
LastPass and Dashlane works as app installed in a smartphone (that i don’t own. I have an old feature phone).
Instead KeePassXC seems to not suport 2FA at all.
Frankly I’m not understanding much.
I would like a desktop application for Window that allows me to perform this authentication without having to buy a smartphone or submit my mobile number in a form field.
If there is no such possibility I will make a reason and close the account.
Misfortunes are something else…

KeePassXC seems working for me with 2FA:
Guide pratique : utiliser KeePassXC
Its addon integrate it in Browsers (with Waterfox classic not perfectly but can work in my test):

But yes, that’s a pain in general to don’t have the choice to use the normal login.

Totally agree with the whole of this post.
In fact for me i don’t need these 2FA things actually.
Maybe if we use Syn or post and maintain an addon, but:

I don’t use Sync and I use just this Firefox account to rate and review the addons.
If i am “developper” of addon it is only because, a long time ago, i tested a way to port automatically an Chrome addon to firefox with the help of another addon (as i can remember).

It should be great and more friendly to have the choice for the login process:
1 - Normal login for normal usage of the Mozilla site.
1 - Dev/Sync Login 2FA for more secure

Agreed, and that’s how it’s currently set up! Anyone who isn’t registered as a developer of an extension doesn’t have to put their account under 2FA.

Yes, but before we can choose to log as normal user or Dev …
Now, there are not options:
If you are “dev”, you have only the choice to 2FA.