Mozilla rolls out recovery key option for Firefox accounts

Mozilla announced today a new recovery option for Firefox Accounts, the user system included inside the Firefox browser. Starting today, users can generate a one-time recover key that will be associated with their account, and which they can use to regain access to Firefox data if users ever forget their passwords.

Firefox Accounts is included with all recent versions of the Firefox browser. Most users are familiar with it because of Firefox Sync, the system that synchronizes Firefox data such as passwords, browsing history, open tabs, bookmarks, installed add-ons, and general browser options between multiple Firefox instances.

But while Sync does the actual synchronization, Firefox Accounts is at the core of Sync and is the system that manages the identities of Firefox users.

Sync works by taking a user's Firefox account password and encrypting the user's browser data on the local computer. Only after this data is encrypted is this data sent to Mozilla's servers for storage, amking sure that Mozilla engineers can't access this information without the user's password, which serves as a decryption key.

Also: Just how fast is Firefox Quantum?

In scenarios where a loses a laptop or has his phone stolen, if he installs Firefox on a new device, he can't download and decrypt his previous browser data without his Firefox account password.

But starting today, Mozilla has rolled out a feature called a "recovery key" for Firefox Accounts. Users can generate a recovery key, which serves as a secondary decryption key for their data, in case they forget their Firefox account password.

The Firefox recovery key is similar to the recovery codes provided during two-factor authentication setup at most online services. Firefox users will have to write them down on a paper, or keep them inside a file (preferably encrypted) somewhere online or on a secondary device.

Mozilla says a recovery key can be used only once, and users will have to generate a new key after they spend the previous one. Instructions on how to generate these keys are provided on this Firefox support page.

Also: Firefox Quantum: A cheat sheet for professionals TechRepublic

But Mozilla also advises that users install Firefox on more than one device, so in the case they lose access to one, they can still use the others to reset passwords or synchronize locally stored data to a new account and make sure the data doesn't get lost forever.

Earlier this year, in May, Mozilla also rolled out two-factor authentication support for Firefox Accounts. Mozilla didn't support the somewhat insecure SMS-based 2FA system, but TOTP, or Time-based One-Time Passwords, which can be generated using various authenticator apps.

These are 2018's biggest hacks, leaks, and data breaches

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

FBI solves mystery surrounding 15-year-old Fruitfly Mac malware

Fruitfly malware author used port scanning with weak or no passwords to identify potential victims.

Meet Torii, a new IoT botnet far more sophisticated than Mirai variants

The evolving IoT botnet is able to compromise an impressive array of architectures.

Teenage Apple hacker avoids jail for 'hacky hack hack' attack

The self-proclaimed Apple fan stole roughly 90GB of confidential data from the iPad and iPhone maker.

Related stories:

• NSA says searches of Americans' data spiked in 2017
• Pennsylvania Senate Democrats paid $700,000 to recover from ransomware attack
• Man gets two years in prison for sabotaging US Army servers with 'logic bomb'
• What technical skills is NSA looking for?
• Why the 'fixed' Windows EternalBlue exploit won't die
• Remove yourself from people search sites and erase your online presence
• Google secretly logs users into Chrome whenever they log into a Google site
• Python is a hit with hackers, report finds
• Data firm leaks 48 million user profiles it scraped from Facebook, LinkedIn, others
• Port of San Diego suffers cyber-attack, second port in a week after Barcelona
• Firefox bug crashes your browser and sometimes your PC
• Mozilla releases Firefox Reality, its web browser for VR
• Tor Browser gets a redesign, switches to new Firefox Quantum engine
• Firefox 62 appears as Mozilla ends support for Windows XP
• Mozilla to block ad trackers on Firefox by default
• California governor signs country's first IoT security law CNET
• Cheat sheet: How to become a cybersecurity pro TechRepublic