Mozilla Add-ons Community Blog
add-ons octopus
Categories: developers

Two-factor authentication required for extension developers

5 responses

At the end of 2019, we announced an upcoming requirement for extension developers to enable two-factor authentication (2FA) for their Firefox Accounts, which are used to log into addons.mozilla.org (AMO). This requirement is intended to protect add-on developers and  users from malicious actors if they somehow get a hold of your login credentials, and it will go into effect starting March 15, 2021.

If you are an extension developer and  have not enabled 2FA by this date, you will be directed to your Firefox Account settings to turn it on the next time you log into AMO.

Instructions for enabling 2FA for your Firefox Account can be found on support.mozilla.org. Once you’ve finished the set-up process, be sure to download or print your recovery codes and keep them in a safe place. If you ever lose access to your 2FA devices and get locked out of your account, you will need to provide one of your recovery codes to regain access. Misplacing these codes can lead to permanent loss of access to your account and your add-ons on AMO. Mozilla cannot restore your account if you have lost access to it.

If you only upload using the AMO external API, you can continue using your API keys and you will not be asked to provide the second factor.

March 24, 2021 update: If your authenticator offers you an 8 character token, check its settings to see if it can provide a 6 character token. Firefox Accounts will not accept 8 character tokens.

5 comments on “Two-factor authentication required for extension developers”

  1. Thomas wrote on

    Hey, I only use a single device (my laptop), no smartphone, no tablet and no second notebook or desktop computer. Is there any way I can continue using AMO as an extension developer without buying a second device? Best, Thomas

    1. Caitlin Neiman wrote on

      Hi Thomas! Some password managers (like Dashlane) can provide the second factor check on your primary device.

      1. Thomas wrote on

        Thanks for the quick reply!

        Fortunately, I found that we don’t actually rely on proprietary software (like Dashlane) for that task because I found that the open source password manager pass (https://www.passwordstore.org) is actually able to do this with the pass-otp plugin (https://github.com/tadfisher/pass-otp).

  2. Extension Dev wrote on

    I’m also struggling a bit to get 2FA working for my account.

    I’m using https://addons.mozilla.org/addon/auth-helper/, which has always worked before without issue, but on https://accounts.firefox.com/beta/settings/two_step_authentication, I’m getting the following error:

    “Incorrect two-step authentication code”

    I actually did get it to work once, downloaded my backup codes, and tried logging out and back in and 2FA was again disabled and the linked data lost. This was the case on both the old design and the new beta one.

    Are there any known kinks that are being worked out with the feature?

    Also, I understand that addons are blocked from working on firefox.com to some extent? Is there a way to bypass that in about:config?

    Thanks

    1. Caitlin Neiman wrote on

      Sorry to hear that this has been causing you issues!

      I know of one issue where an authenticator app defaults to providing an 8 character token, and AMO only accepts 6 characters. I’ll update the blog post to include that information.

      Can you try that and see if it helps? If it doesn’t, can you post this issue on our community forum at https://discourse.mozilla.org/c/add-ons/35 so we can get more folks to look at it?

      Regarding extensions being blocked from working on certain Mozilla domains — you can unblock them by toggling the `extensions.webextensions.restrictedDomains` preference in about:config, but we ask that developers not encourage users to change those settings. 🙂 The list of blocked domains can be found at https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_scripts.