Mozilla has added support for two-factor authentication in Firefox Accounts, its login system for syncing bookmarks, passwords, and open tabs across desktop and mobile devices.
Mozilla will allow Firefox Accounts users to opt in to its two-step authentication setup from today as part of a phased rollout, according to Mozilla software engineer Vijay Budhram.
The standard it's chosen to implement is TOTP, or Time-based One-Time Passwords, which can be generated using several authenticator apps.
Mozilla's support page for manually enabling two-factor authentication on Firefox Accounts notes that users will need to install the Google Authenticator, Duo Mobile or Authy mobile apps. The apps generate one-time codes that roll over periodically.
The quickest way for Firefox Accounts users to set it up is by going to Menu/Options/Firefox Account/Manage accounts, and then clicking the 'Enable' button next to the two-step authentication panel.
Mozilla says if the two-step authentication section isn't yet visible, you can add '&showTwoStepAuthentication=true' to the URL and refresh the page.
Once enabled, an authenticator app can be used to scan the QR code displayed, which confirms the device and enables TOTP. At this stage, Firefox Accounts also displays recovery codes that Mozilla stresses should be downloaded and saved in a safe location.
From this point on, users will need to enter a six-digit security code every time they wish to log in.
There's some interesting background to how the Firefox Accounts team arrived at TOTP, which wasn't its first choice.
Mozilla was initially intending to implement two-factor authentication using push notifications sent to the Firefox mobile app.
Firefox Account developers thought this approach would get higher adoption more quickly, as users wouldn't need to install an authenticator app, and probably already had the Firefox mobile browser installed.
However, some users took offense to this idea, because it could appear that Mozilla was using security to nudge mobile users to enable push notifications for marketing purposes.
And as one user pointed out, for those who don't use Firefox mobile, installing Firefox mobile is a greater burden than installing an authenticator app.
"Um, aren't there a gazillion more desktop users than mobile users?" the individual asked. "Isn't having me install a browser a much, much, much bigger ask than having me install a little TOTP tool? On Android, Firefox Mobile is 44MB, lots of permissions; Google Authenticator is 4MB, almost no permissions."
But by that time the Firefox Accounts team had already been developing the TOTP option, which would go live by the second quarter of 2018.
Despite this development, Alex Davis, a product manager for Firefox Accounts defended the push-on-mobile plan and thinks TOTP adoption will remain low in the foreseeable future.
"Think of it in the context that a large proportion of our Firefox Account users already have our mobile browser installed," wrote Davis.
"We can enable safe 2FA for a huge proportion of our existing users without having them install any app. Rather than hope that one day at most 10 percent of users will adopt TOTP, we can guarantee that a MUCH greater proportion of users would have MFA enabled."
Though Davis admitted that for users who don't have mobile Firefox installed yet, it would be more effort than installing an authenticator app.
Mozilla is also working on enabling two-factor authentication for developer accounts on AMO or Mozilla Add-ons.