Mozilla has announced that it now supports two-step (also known as two factor or 2FA) authentication for Firefox accounts.
"Starting on 5/23/2018, we are beginning a phased rollout to allow Firefox Accounts users to opt into two-step authentication. If you enable this feature, then in addition to your password, an additional security code will be required to log in.”
Mozilla has chosen the popular Time-based One-Time Password (TOTP) authentication standard as its vehicle for doing this. TOTP codes are generated in an authenticator app such as Google Authenticator, Authy, Duo, or open source andOTP.
Single-use recovery codes are also supported in case the dog eats your phone or something.
We recommend that Firefox users who rely on the browser’s built-in password manager, in particular, should consider enabling 2FA to improve the security of their accounts.
What is 2FA?
One-factor authentication is something you know. For example your username and password. Two-factor authentication is something additional that you have. In this case, it’s your phone.
It is very unlikely that a hacker will be able to discover both your username/password and gain access to your phone. 2FA therefore greatly improves the security of any accounts protected by it. Check out our what is 2fa guide for more information about it.
How to protect your Firefox account using 2FA
Long-term readers of these pages will know that I am a fan of open source software solutions. Especially when it comes to security software. andOTP is an open source TOTP-compatible authenticator available for Android.
The process outlined below, however, is similar no matter which app or platform you use. If you do also use andOTP, this page offers advice from its developer on setting it up. Note that Android’s security policy prevents me from taking screenshots of the andOTP app in action.
1. Enable 2FA in Firefox
Go to Options -> Firefox Account -> Manage Account -> Two-step authentication -> Enable.
Mozilla is rolling out 2FA over a period of time, so you may not see this option in Firefox Accounts yet. If you don’t, then simply click this link in Firefox to enable it.
2. You will be given a QR code to scan into your authenticator app. In andOTP click on the + icon to the bottom tight -> Scan-QR code. You will be given a Security code that you must enter into Firefox. Then hit "Confirm.”
3. And ta-da! That’s it all setup. You should see confirmation that 2FA is enabled (and receive a confirmation email from Mozilla).
You will also be given some one-use recovery codes. You can enter each of these once, instead of generating new codes in your authenticator app. Keep them safe!!! I store mine in an encrypted KeePass password manager file.
4. Whenever you sign into your Firefox Account (for example when you install Firefox onto a new device) you will be asked to provide a security code after you have entered your username and password.
Just open your authenticator app, look for the Firefox Accounts entry, and enter the code within the allotted time. Easy!
Using two-factor authentication will make your Firefox account much more secure, and only takes few minutes to set up. There really is very little reason not to do it, and a whole bunch of reasons you should…