Two-step authentication in Firefox Accounts

Two-step authentication in Firefox Accounts


Starting on 5/23/2018, we are beginning a phased rollout to allow Firefox Accounts users to opt into two-step authentication. If you enable this feature, then in addition to your password, an additional security code will be required to log in.

We chose to implement this feature using the well-known authentication standard TOTP (Time-based One-Time Password). TOTP codes can be generated using a variety of authenticator applications. For example, Google Authenticator, Duo and Authy all support generating TOTP codes.

Additionally, we added support for single-use recovery codes in the event you lose access to the TOTP application. It is recommend that you save your recovery codes in a safe spot since they can be used to bypass TOTP.

To enable two-step authentication, go to your Firefox Accounts preferences and click “Enable” on the “Two-step authentication” panel.

Note: If you do not see the Two-step authentication panel, you can manually enable it by following these instructions.

Using one of the authenticator applications, scan the QR code and then enter the security code it displays. Doing this will confirm your device, enable TOTP and show your recovery codes.

Note: After setup, make sure you download and save your recovery codes in a safe location! You will not be able to see them again, unless you generate new ones.

Once two-step authentication is enabled, every login will require a security code from your TOTP device.

Thanks to everyone that helped to work on this feature including UX designers, engineers, quality assurance and security teams!

7 responses

  1. ye wrote on :

    better late than never…

  2. Wolf480pl wrote on :

    Why not U2F ?

  3. Johan Zijlstra wrote on :

    Hi Vijay Budhram,

    Thanks a lot! I have it up and running now. Works splendid. Good work.
    At the moment I’m not sure if it will be of use to me, but it’s better to be safe & sure then having loss of important browser data, right?

    Engine is running!

    Kind regards,

    Johan Zijlstra

  4. Bryan wrote on :

    Great job, team!

  5. Robin Kaljouw wrote on :


  6. superneko wrote on :


    But not inadvisable on my Firefox and accounts , even I appendixed “?showtwostepauthentication=true” arguments in the end.

  7. tWiZzLeR wrote on :

    This feature currently might not appear for all users. If it isn’t visible, add &showTwoStepAuthentication=true to the URL and refresh the page.