Throughout 2018 the Mozilla #iam project has matured its login capabilities and expanded the reach of sites and services implementing IAM Login. Based on user feedback we now introduce Authentication Assurance Levels (AAL) which enable two significant changes while maintaining the appropriate security level for site owners.
- Reduced login friction: Site owners can choose to allow single-factor (1FA) authentication in addition to passwordless email for low-friction, third-party authentication (Github, FxA) to their services.
- Increased authentication flexibility: Accounts with the same primary email address (e.g., email@example.com) log you in regardless of the login method (e.g., Github, FxA, Google, passwordless), provided AAL requirements are met.
- By default, all sites (Relying Parties, aka RPs) require a certain level of security called Authentication Assurance Level which uses indicators to determine if your login is legitimate and safe. It enforces several things and means that you will be able to login with Google accounts, GitHub accounts, Firefox Accounts, and LDAP accounts anywhere you have access.
- Sites which currently support Passwordless (email verification for logins) will still support it, even though their Authentication Assurance Level is lower. Site owners may choose to disable this low assurance option, and we have informed them of the option.
- New relying parties need to work with Mozilla’s Enterprise Information Security (Infosec) team to ensure passwordless is used safely, or if they request to lower the default assurance level (AAL - previously, this was not possible, and we would enforce restrictions).
- Accounts with the same email address are now linked and let you login regardless of your login method. For example, if you are firstname.lastname@example.org and login with GitHub, this is the same as email@example.com logging in with Firefox Accounts, as long as the Authentication Assurance Level allows the login.
- Paid Staff still need to login with their Staff account. However, they may, of course, use a contributor account that is dissociated from their Staff account as desired.