Mozilla will enforce two-factor authentication for Extension Developers
Firefox extension developers need to set up their accounts to support two-factor authentication (2FA) in early 2020 as this is a new requirement that Mozilla has just announced.
Mozilla's reasoning behind the decision is simple: prevent that attackers manage to obtain username and password of extension developers to manipulate the extensions that are offered on Mozilla AMO.
The organization dropped its "Review first - Publish later" model in 2017 in order to deliver updates and new add-on releases faster. While extensions may get reviewed manually after the fact (after publication), there is a time gap between making it available to users and the review; this could allow malicious actors to push unwanted or malicious content to users in form of add-ons if the automated systems that are in place can be bypassed.
Starting in early 2020, extension developers will be required to have 2FA enabled on AMO. This is intended to help prevent malicious actors from taking control of legitimate add-ons and their users.
The extra layer of security that Mozilla requires from extension developers won't be required for accounts that use the upload API of AMO.
Regular users who maintain accounts on AMO are not required to enable 2FA for their accounts as well. While Mozilla does recommend setting up 2FA for all Firefox accounts, it is not a requirement at this point.
Tip: check out our guide on enabling two-factor authentication in Firefox here.
Once the requirement goes live, developers are asked to enable 2FA for their accounts when they are making changes to their add-ons.
Before this requirement goes into effect, we’ll be working closely with the Firefox Accounts team to make sure the 2FA setup and login experience on AMO is as smooth as possible. Once this requirement goes into effect, developers will be prompted to enable 2FA when making changes to their add-ons.
Closing Words
The new Two-Factor Authentication requirement won't impact extensions that are already available. These remain available, it appears while developers need to set up 2FA for accounts if they plan to make changes to their add-ons. It is unclear if this will also be required for new add-ons that get released on AMO.
The extra layer should protect against the majority of supply chain attacks. As is the case with all two-factor authentication options, it is important to keep recovery codes at hand. If an extension developer loses access to the 2FA device and recovery codes, it is possible that this can lead to a permanent loss of access.
Now You: What is your take on the new requirement?
Two factor authentication looks good on paper, but there are drawbacks. It all depends on the mobile network provider, two factor authentication will work when not roaming. Some sim cards provided by one’s provider will not work on other network.
And there are pay as you service, from what I can guess those phones don’t receive OTP.
@Barry:
There’s nothing inherent in the concept of 2FA that requires the use of a mobile provider, SMS, or any other communications channel. All that’s required is to have two or more different methods of authentication.
This is a good decision. Firefox’s users are trusting these extensions developers to produce secure extensions that only do what they are supposed to do and don’t have any hidden malware-ish components. If the developers aren’t willing to take the basic security precaution of using two factor identification to log in to update their extensions, they aren’t security concious enough to have their extensions listed and used IMO. There is also of course just the basic fact that they are targets to be hacked and Mozilla is wise to make it just a little bit harder for some hacker to target them and then upload a malware version of a previously good extension and compromise everything in the end users’ browsers.
I wouldn’t support this sort of mandate for the average user, but for the average extension developer? Absolutely.
I also think that Mozilla having your phone number or something if you’re an extension developer is a reasonable ask. Anonymous people uploading software is also a security risk. Mozilla reasonably doesn’t want to be reasonable or have their browser’s reputation compromised because some person who won’t identify himself or herself does something shady. Forcing a small amount of disclosure to Mozilla, held in confidence, should reduce incidences of people acting improperly and thinking they are safe from any blowback.
Again, the average user shouldn’t have to do this, and isn’t being asked to, but a developer is essentially a partner with Mozilla, and has the potential to compromise not just their own, but thousands of people’s security, and that makes extension developers a whole different ball of wax.
It’s also worth noting that Mozilla isn’t asking for a Social Security number, a birth certificate, and a mailing address, they just want a second authentication like a code from text to a phone number in addition to a password.
“the average user shouldn’t have to do this”
And why not?
Everyone should have to do that, and much more.
The pseudonymous nature of the web is a breeding ground for subversion, corruption and lies.
People should be monitored and made accountable for what they do.
@Hua Guofeng:
“the average user shouldn’t have to do thisâ€
And why not?
Everyone should have to do that, and much more.
Firefox extension developers need to set up their accounts to support two-factor authentication (2FA) in early 2020 as this is a new requirement that Mozilla has just announced.
Mozilla’s reasoning behind the decision is simple: prevent that attackers manage to obtain username and password of extension developers to manipulate the extensions that are offered on Mozilla AMO.
This describes the new requirements for two-factor authentication (2FA) for add-on developers to submit add-ons to AMO (addons.mozilla.org) and to apply for modifications.
In order to increase the reliability of the extension registered in AMO, it is a measure based on the idea that “it is necessary to strictly verify the authenticity of the developer.”
In other words, the targets are completely different from “browser users”.
@John: “Forcing a small amount of disclosure to Mozilla”
I don’t think revealing your phone number is a “small amount of disclosure”, although you can minimize it by using a burner phone.
Aside from that, I agree with your point.
@John said on December 15, 2019 at 11:36 pm,
I fully agree with your opinion.
Slight inconvenience for extension devs, I guess. All two of them who still care about this sinking ship of a pathetic excuse of a browser.
This, coupled with a lack of an adequate number of webextension APIs is eventually going to cause more and more extensions developers to simply give up. I’m not saying using 2FA doesnt make sense from a security standpoint, I’m simply pointing out human nature.
The goons at Mozilla would rather waste time implementing farces like this than actually review the extensions. But that is expected of Mozilla…
I signed up for online school and me not knowing shit about phones or computers run my mouth.all my Gmail and Google accounts disssapearand the the canvas portal password is close to something like that.i really can’t remember passwords and I can’t afford nothing right now.
Slightly off-topic, but what browser do you use in the picture? Thanks!
It is an old screenshot from Chrome.
After disabled the sideload install now Mozilla requires 2FA just to update addon? Sorry I don’t want to give my phone numbers, are you going to sell the number to Google?
It doesn’t need your phone number. It’s OTP not 2FA sms.
I suggest, ghacks.net implements some sort of “two-factor authentication” to ensure, that commenters have read the blog entry, before they can comment.
> I suggest, ghacks.net implements some sort of “two-factor authentication†to ensure, that commenters have read the blog entry, before they can comment.
Certainly, there are times when you feel that way.
There are stands out of commentators who do not understand the gHacks Tech News article, react only to keywords (such as Mozilla), and make comments unrelated to the topic.
Many of them are trolls and are very annoying.