[Blog post] Two-factor authentication required for extension developers

Effective March 15, 2021, Firefox extension developers will need to have two-factor authentication (2FA) enabled on their Firefox Accounts to log into addons.mozilla.org (AMO).

If you are an extension developer and do not have enabled 2FA by this date, you will be directed to your Firefox Account settings to turn it on the next time you log into AMO.

Read more on the Add-ons Blog >>

2 Likes

I did it, and frankly, this is a pain.
I am quite unsatisfied about this I must say:

  • You have to install a separate application - why on earth should we do that ??
  • And you have to run it at the moment of answering, so extra steps of copy / pasting, for a security gain which seems relatively small, if any
  • When you are travelling, then you need the same application to come with you
  • So you need to register the secrets in plenty of places
  • Or you need to have it on a device always with you(e.g. a mobile)
  • But guess what happens when your mobile has no more battery, or lost it ?

Plus this is quite badly explained on the blog and on the support page:

  • A list of applications / services selected by we do not know who and in which we may not have any confidence
  • Nothing saying this is using in fact HMAC based on time = TOTP
  • So nothing allowing us to pick another choice
  • And a dependency on being on a device with 30s precise clock at the moment of response code generation, or else you can’t log in

All in all, I feel that security is really creating a problem for people it is supposed to protect, but not really for the people against whom we want to protect.

A bit of security is ok, but not too much. This is like people who put several locks on their doors = full pockets with plenty of keys that end up making a hole in the pocket, losing the keys, and cannot enter anymore so have to break the door … while robbers can go through the roof, or simply make a hole in a wall or in a window, in a few minutes, if they really want to enter.

Can’t thank anybody here for the pain this all generates
-> A unhappy user / developer.

1 Like

Hello,
Is there a way to regain access to my developer account without having to communicate my mobile phone number to You or a third party?
I have never used these kind of authentication systems, but given the multiple data breach events (of which only a few are discovered and brought to the attention of the folk) I do not want to communicate this type of data with anyone.
If there is a way, could you please create a fool-proof guide?
Thank you

Hi @robbi73, a number of authenticators work without needing your mobile number. LastPass is a a free, frequently recommended option. Dashlane is another option. I’ve also seen people in the community talking about using KeePassXC. Those are all good places to start.

Hi, thank you for your reply.
LastPass and Dashlane works as app installed in a smartphone (that i don’t own. I have an old feature phone).
Instead KeePassXC seems to not suport 2FA at all.
Frankly I’m not understanding much.
I would like a desktop application for Window that allows me to perform this authentication without having to buy a smartphone or submit my mobile number in a form field.
If there is no such possibility I will make a reason and close the account.
Misfortunes are something else…

KeePassXC seems working for me with 2FA:
Guide pratique : utiliser KeePassXC
Its addon integrate it in Browsers (with Waterfox classic not perfectly but can work in my test):
KeePassXC-Browser

But yes, that’s a pain in general to don’t have the choice to use the normal login.

Totally agree with the whole of this post.
In fact for me i don’t need these 2FA things actually.
Maybe if we use Syn or post and maintain an addon, but:

I don’t use Sync and I use just this Firefox account to rate and review the addons.
If i am “developper” of addon it is only because, a long time ago, i tested a way to port automatically an Chrome addon to firefox with the help of another addon (as i can remember).

It should be great and more friendly to have the choice for the login process:
1 - Normal login for normal usage of the Mozilla site.
1 - Dev/Sync Login 2FA for more secure

Agreed, and that’s how it’s currently set up! Anyone who isn’t registered as a developer of an extension doesn’t have to put their account under 2FA.

Yes, but before we can choose to log as normal user or Dev …
Now, there are not options:
If you are “dev”, you have only the choice to 2FA.

Hi,

I agree this lack of choice is ludicrous.

I am trying to get my Firefox Developer Account status downgraded or revoked as I NEVER EVER asked for it.

A long time ago I installed Chrome Store Foxied and was given Firefox Developer status.

I also dislike two-step authication apps and will NOT use them.

If I can’t get my Firefox Developer account downgrade or revoked, then I will delete my Firefox account entirely.

If Mozilla insists on two-step authenication for that as well, then Firefox will be uninstalled.

I’m strongly in favour of mandatory 2FA, particularly for things such as a Firefox account where there’s potentially a lot of sensitive data stored, and Mozilla Addons where supply-chain attacks are a threat.

However, there’s no way this should have been made mandatory in its current state. The entire user-experience is littered with problems and bugs. I understand that Mozilla may not be as well-resourced as we’d like and fixing all of these issues quickly might not be viable, but given they exist the decision to enforce 2FA while the issues remain is a really poor one.

From my brief usage, some observations:

Bugs:

  • If you enable-then-disable 2FA (which I did due to the horrible experience I encountered when enabling it), you end up in an infinite redirect loop on addons.mozilla.org. This comes with no error messages: just blank white forever. There’s very little way of finding out that the cause is lack of 2FA unless you’re an avid reading of Moz blogposts.

  • When hitting “Change” on the 2FA section of security settings, it immediately regenerates all of your recovery codes. This is unexpected as (a) I would expect the button to change the 2FA app QR, not just the codes and (b) because it regens them immediately with no confirmation prompt. There’s also no “safety” confirmation to ensure the user has successfully saved their recovery codes, which could lead to users losing access to their account (this is actually highly likely since if a user is clicking this button it probably means they’ve either lost access to or are in the process of deleting their Authenticator app).

Deficits:

  • No U2F or WebAuthn support: the only option is OTP. These are technologies Firefox the browser is championing and it doesn’t even support them in its own account login. They’re also a lot more secure than OTP, and much easier to use.

  • No multi-factor auth support: the limit is 2 factors. This is extremely dangerous as recovery codes are (frankly) a poor way of having backup account access for many reasons. Recovery codes are typically stored in plaintext. Multiple hardware keys is a much more secure backup recovery method, for example.

  • Addons requires 2FA while Accounts does not: this creates unnecessary inconsistency and confusion. I do understand the reasoning behind this: Accounts has many more users & exposing so many people to such terrible UX would invariably result in a massive backlash.