now testing: sign-in confirmation emails for Firefox Sync

Ryan Kelly rfkelly at mozilla.com
Sun Jun 26 23:14:38 UTC 2016



Hi All,


I want to let you know about a new security feature that we will soon
begin testing in Firefox Accounts: sign-in confirmation emails.

When you sign in to Sync with an existing Firefox Account, you may
receive an email asking you to "Confirm new sign-in to Firefox".  You
will need to click through the verification link in this email before
the browser is able to sync.

Think of it as an initial step on the path to broader two-factor
authentication.

It's in preliminary testing mode, so please don't hesitate to give your
feedback (good or bad!) either here on the list, or in bugs.

More details below if you're interested.


  Cheers,

    Ryan


-------------

Questions that nobody has asked yet, but that I thought they might:


* Under what circumstances will I receive a signin confirmation email?

When this feature is enabled, you will receive a confirmation email when
you sign in to Firefox Sync, and must click through the link therein
before the browser is able to sync.

You will not receive an email when signing in to other services such as
Pocket or AMO.

In the initial testing phase, the feature will only be enabled for a
configurable percentage of users and only on some types of device, so
don't be alarmed if you do not (yet) receive any confirmation emails at all.


* Why are you adding this feature?

This is the first of several extra security features that we're working
on to help protect users if their account password is compromised, for
example if someone is able to guess the password, or if the password is
reused on another website that suffers a data breach.

Unfortunately we have seen Firefox Accounts users being targeted by such
attacks this year:

https://blog.mozilla.org/services/2016/04/09/stolen-passwords-used-to-break-into-firefox-accounts/

This feature is designed to provide an additional layer of security
under such circumstances, preventing an attacker who can guess your
account password from gaining direct access to your synced browser data.

It does not reduce the importance of choosing a strong account password
to keep your data safe.


* I'm confident my password is secure, can I disable this feature?

Not in the initial version, although this would be great feedback for us
to have for future iterations of this feature.



More information about the Sync-dev mailing list