Mozilla has recently added support for two-factor authentication in Firefox Accounts. This includes its login system for syncing bookmarks, passwords, and open tabs across desktop and mobile devices.
As per stated by Mozilla software engineer Vijay Budhram, Mozilla would allow Firefox Accounts users to opt into its two-step authentication setup very recently as a 0part of a phased rollout,
The standard it’s chosen to implement is TOTP, or Time-based One-Time Passwords can be generated using several authenticator apps.
Mozilla’s support page for manually enabling two-factor authentication on Firefox Accounts, states that users would need to install the Google Authenticator, Duo Mobile or Authy mobile apps. The apps would also need to generate one-time codes that roll over periodically.
Thus, the quickest way to be followed by the Firefox Accounts users would be to set it up is by going to Menu/Options/Firefox Account/Manage accounts. Then from here, they need to click on the ‘Enable’ button next to the two-step authentication panel.
Here, again, Mozilla added that if the two-step authentication section isn’t yet visible, users might as well add ‘&showTwoStepAuthentication=true’ to the URL and refresh the page.
So, after this, once enabled, an authenticator app can be used to scan the QR code displayed, which confirms the device and enables TOTP. In fact, at this stage, Firefox Accounts also displays recovery codes that Mozilla stresses should be downloaded and saved in a safe location.
From this point on, users would need to enter a six-digit security code every time they wish to log in.
With this, there is also some interesting background to how the Firefox Accounts team arrived at TOTP, which of course, wasn’t its first choice.
Mozilla was initially intending to implement two-factor authentication using push notifications sent to the Firefox mobile app.
Firefox Account developers thought this approach would get higher adoption more quickly, as users wouldn’t need to install an authenticator app, and probably already had the Firefox mobile browser installed.
However, some users had also taken offense to this idea because it would appear that Mozilla was using security to nudge mobile users to enable push notifications for marketing purposes.
In fact, as one user pointed out, for those who don’t use Firefox mobile, installing Firefox mobile would be definitely a greater burden than installing an authenticator app.
Despite this development, Alex Davis, a product manager for Firefox Accounts defended the push-on-mobile plan and thinks TOTP adoption would remain low in the foreseeable future.
Finally, Davis added that “Think of it in the context that a large proportion of our Firefox Account users already have our mobile browser installed. We can enable safe 2FA for a huge proportion of our existing users without having them install any app. Rather than hope that one day at most 10 percent of users will adopt TOTP, we can guarantee that a MUCH greater proportion of users would have MFA enabled.”
To conclude, though Davis admitted that for users who don’t have mobile Firefox installed yet, it would be more effort than installing an authenticator app. However, Mozilla is also working on enabling two-factor authentication for developer accounts on AMO or Mozilla Add-ons.