Categories: developers

Secure your addons.mozilla.org account with two-factor authentication

Accounts on addons.mozilla.org (AMO) are integrated with Firefox Accounts, which lets you manage multiple Mozilla services from one login. To prevent unauthorized people from accessing your account, even if they obtain your password, we strongly recommend that you enable two-factor authentication (2FA). 2FA adds an extra layer of security to your account by adding an additional step to the login process to prove you are who you say you are.

When logging in with 2FA enabled, you will be asked to provide a verification code from an authentication application, in addition to your user name and password. This article on support.mozilla.org includes a list of supported authenticator applications.

Starting in early 2020, extension developers will be required to have 2FA enabled on AMO. This is intended to help prevent malicious actors from taking control of legitimate add-ons and their users. 2FA will not be required for submissions that use AMO’s upload API.

Before this requirement goes into effect, we’ll be working closely with the Firefox Accounts team to make sure the 2FA setup and login experience on AMO is as smooth as possible. Once this requirement goes into effect, developers will be prompted to enable 2FA when making changes to their add-ons.

You can enable 2FA for your account before the requirement goes into effect by following these instructions from support.mozilla.org.

Once you’ve finished the set-up process, be sure to download or print your recovery codes and keep them in a safe place. If you ever lose access to your 2FA devices and get locked out of your account, you will need to provide one of your recovery codes to regain access. Misplacing these codes can lead to permanent loss of access to your account and your extensions on AMO.

4 comments on “Secure your addons.mozilla.org account with two-factor authentication”

  1. Romani wrote on

    The Question is…why TOTP and not Webauthn? Mozilla is one of the main apologists of hardware based 2FA, was one of developers of Webauthn, fist one who implemented it and now Mozilla chooses “insecure” (as it was advertised in comparison to Webauthn) TOTP instead?

    Why?

  2. Maxim wrote on

    If I store my password on strongly secured device with FDE and use random passwords with entropy greater than 120 bits why should I use 2FA?

    1. Andreas Wagner wrote on

      Those are good measures, but the computer is not the only link in the process that can be attacked or compromised, or your account might be targeted through other kinds of attacks (for example social engineering or phishing). A second factor protects you in case your password does get leaked, even if you consider that very unlikely.

  3. absolute no wrote on

    Checking the process and I found that the Authy application is terrible. At first I don’t want to get my personal information to 3-d party twillio. Second Authy application is really terrible, it take many mg to make little job, i think it install the self-based web-browser. So I don’t want to trashing my computer. At last I don’t have any phone number. I’m serious.

    I don’t against the 2fa but please make it better, web based, or add it to firefox, but please don’t use 3-d party horror.