<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt" id="gmail-docs-internal-guid-1cc521f7-7fff-11a6-6836-3e030823cc72"><span style="font-family:Arial;vertical-align:baseline;white-space:pre-wrap">AMO and FxA 2FA Discussion</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;vertical-align:baseline;white-space:pre-wrap">Date: December 5, 2018</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;vertical-align:baseline;white-space:pre-wrap">Attendees: Jorge Villalobos, Stuart Colville, Mathieu Pillard, Andrew Williamson, Vijay Budhram, Shane Tomlinson</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;vertical-align:baseline;white-space:pre-wrap"><br></span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;vertical-align:baseline;white-space:pre-wrap"><b>Background:</b></span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;vertical-align:baseline;white-space:pre-wrap"><b><br></b></span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="vertical-align:baseline;white-space:pre-wrap"><font face="arial, helvetica, sans-serif">AMO would like the ability to force 2FA for developer accounts. Users who do not have 2FA</font></span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="vertical-align:baseline;white-space:pre-wrap"><font face="arial, helvetica, sans-serif">enabled are then able to enable 2FA as part of the login flow. FxA currently shows an error message</font></span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><font face="arial, helvetica, sans-serif">if a relier forces 2FA and the user does not have it enabled. There is a link to a SUMO article, but</font></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><font face="arial, helvetica, sans-serif">no link to /settings to enable 2FA. Even if there was a link to /settings, the user would</font></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><font face="arial, helvetica, sans-serif">not be able to get back to the relier.</font></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><font face="arial, helvetica, sans-serif"><br></font></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">Smoothing out this flow to allow a user to add 2FA mid-login requires significant effort on the<font face="arial, helvetica, sans-serif"><br></font></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">FxA side. We are trying to figure out some interim solutions that might get us to a good enough</p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">place.</p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><br></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><b>Background issues:</b></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><b><br></b></p><ul style="margin-top:0pt;margin-bottom:0pt"><li dir="ltr" style="list-style-type:disc;font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(34,34,34);vertical-align:baseline;white-space:pre-wrap">Force 2FA at login for developers, behind a waffle</span></p></li><ul style="margin-top:0pt;margin-bottom:0pt"><li dir="ltr" style="list-style-type:circle;font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><a href="https://github.com/mozilla/addons-server/issues/10046" style="text-decoration-line:none"><span style="background-color:transparent;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">https://github.com/mozilla/addons-server/issues/10046</span></a></p></li></ul><li dir="ltr" style="list-style-type:disc;font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Allow users to set up 2FA/TOTP for reliers that pass acr_values=AAL2</span></p></li><ul style="margin-top:0pt;margin-bottom:0pt"><li dir="ltr" style="list-style-type:circle;font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><a href="https://github.com/mozilla/fxa-content-server/issues/6683" style="text-decoration-line:none"><span style="background-color:transparent;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">https://github.com/mozilla/fxa-content-server/issues/6683</span></a></p></li></ul><li dir="ltr" style="list-style-type:disc;font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Provide a way for reliers to confirm a user's login state without re-entering password</span></p></li><ul style="margin-top:0pt;margin-bottom:0pt"><li dir="ltr" style="list-style-type:circle;font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><a href="https://github.com/mozilla/fxa-content-server/issues/6661" style="text-decoration-line:none"><span style="background-color:transparent;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">https://github.com/mozilla/fxa-content-server/issues/6661</span></a></p></li></ul></ul><div dir="ltr"><br></div><b>Questions & Comments:</b><br><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Could AMO send a list of emails and FxA sends an email to those users asking them to enable 2FA?</span></p><ul style="margin-top:0pt;margin-bottom:0pt"><li><font color="#000000" face="Arial"><span style="white-space:pre-wrap">Idea is to send an email to the list of users explaining the new AMO requirement and ask them to enable 2FA.</span></font></li><li><font color="#000000" face="Arial"><span style="white-space:pre-wrap">User enables 2FA out of band so the next time they sign into AMO, they are ready to go.</span></font></li><li><font color="#000000" face="Arial"><span style="white-space:pre-wrap">Could use the existing settings panel w/o asking users to enable 2FA inline.</span></font></li><li style="list-style-type:disc;font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;white-space:pre-wrap">Doesn’t solve the problem for developers who sign up after the email is sent.</span></p></li></ul><div><font color="#000000" face="Arial"><span style="white-space:pre-wrap"><br></span></font></div><div><font color="#000000" face="Arial"><span style="white-space:pre-wrap">Instead of FxA sending the emails, could AMO send an email to the user w/ a link to the FxA settings page?</span></font></div><div><ul><li><font color="#000000" face="Arial"><span style="white-space:pre-wrap">For either email approach, we'll want to track conversion rates.</span></font></li><li><font color="#000000" face="Arial"><span style="white-space:pre-wrap">Emailing 10s of thousands of users prematurely wouldn’t be awesome. Let’s find out more.<br></span></font></li></ul></div><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;color:rgb(0,0,0);font-family:Arial;white-space:pre-wrap">Setting up 2FA is time consuming and difficult</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"></p><ul><li>“There are so many steps to setting up 2FA - Downloading their recovery code might be problematic.”<br></li><li>Setting up on mobile is difficult.<br></li><li>AMO dev site doesn’t work well in mobile anyways.<br></li></ul><p></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;color:rgb(0,0,0);font-family:Arial;white-space:pre-wrap">Is it possible to present the user some UX on the AMO side saying it must be enabled?</span><br></p></div></div><div dir="ltr"><div dir="ltr"><ul><li>Could we use the developer bar on AMO?<br></li></ul><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;color:rgb(0,0,0);font-family:Arial;white-space:pre-wrap">For the smoothest flow, we’d have to re-use the current screens and integrate them into t</span><span style="background-color:transparent;color:rgb(0,0,0);font-family:Arial;white-space:pre-wrap">he login flow somehow.</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"></p><ul><li><font color="#000000" face="Arial"><span style="white-space:pre-wrap">This requires extracting the 2FA screens from FxA's /settings page and integrating them into the login flow.</span></font></li><li><font color="#000000" face="Arial"><span style="white-space:pre-wrap">Significant effort, would need to be scheduled.</span></font></li><li><font color="#000000" face="Arial"><span style="white-space:pre-wrap">Will require UX support and testing.</span></font></li></ul><p></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">What is the schedule to force enable 2FA on AMO?</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"></p><ul><li>Originally for this quarter, obviously it's too for that to happen.<br></li></ul><p></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;color:rgb(0,0,0);font-family:Arial;white-space:pre-wrap">For users without phones, we’d need to update the SUMO doc saying what to do.</span><br></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">What does the "send an email asking the user to enable 2FA" approach look like?</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"></p><ul><li><font color="#000000" face="Arial"><span style="white-space:pre-wrap">The FxA team knows how to send out of band emails, we can turn those around pretty quickly as long as we have copy.</span></font></li><li>We’d want to work together to ensure the copy makes sense and doesn’t scare AMO users away.<br></li></ul><p></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><b>Proposed path forward</b></span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><font color="#000000" face="Arial"><span style="white-space:pre-wrap"> </span></font></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><font color="#000000" face="Arial"><span style="white-space:pre-wrap">Use the send an email approach, iterate from there.</span></font></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><font color="#000000" face="Arial"><span style="white-space:pre-wrap"><br></span></font></p><ul style="margin-top:0pt;margin-bottom:0pt"><li style="list-style-type:disc;font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Send an email to AMO developers</span></p></li><ul><li>The AMO and FxA teams work together to develop email copy to send to AMO developers.</li><li>The AMO team passes a list of developer email addresses to the FxA team.</li><li>The FxA team sends the email, ensuring conversion rates are tracked.</li><li>Target date: TBD</li></ul><li style="list-style-type:disc;font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Show a banner on AMO</span></p></li><li style="list-style-type:disc;font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Develop inline UI to enable 2FA</span></p></li><ul style="margin-top:0pt;margin-bottom:0pt"><li style="list-style-type:circle;font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;vertical-align:baseline;white-space:pre-wrap">First with the password</span></p></li><li style="list-style-type:circle;font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Then without the password</span></p></li></ul></ul><div dir="ltr"><br></div>Stuart and Jorge, does this capture the essense of what we discussed and decided?</div><div dir="ltr"><br></div><div dir="ltr">Shane<br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><br></p></div></div></div></div></div></div>