Skip to content
by
  • Products
  • Free Tools
  • Search
  • Free Sophos Home
XG Firewall
Next-Gen Firewall
Intercept X
Next-Gen Endpoint
  • Sophos Cloud Optix
  • Sophos Central
  • Sophos Mobile
  • Intercept X for Server
  • Secure Wi-Fi
  • Phish Threat
  • SafeGuard Encryption
  • Secure Email
  • SG UTM
  • Secure Web Gateway
For Home Users

Sophos Home protects every Mac and PC in your home

Learn More
Free Security Tools
Free Trials
Product Demos
Have you listened to our podcast? Listen now

Mozilla mandates 2FA security for Firefox developers

17 Dec 2019 1 2-factor Authentication, Firefox, Google, Google Chrome, Mozilla, Web Browsers

Post navigation

Previous: Facebook employees’ payroll data nabbed in car smash-and-grab
Next: Researchers discover weakness in IoT digital certificates
by John E Dunn

Mozilla last week fired off an important memo to all Firefox extension developers telling them to turn on authentication (2FA) on their addons.mozilla.org (AMO) accounts.

This is a good move but also surprisingly late in the day.

Mozilla extensions have been around since not long after the browser appeared in 2004, and have been available to all Firefox users from 2014.

In 2018, the company added multi-factor authentication to accounts, with users able to choose from any one of a long list of Time-based One-Time Password (TOTP) authentication apps.

This, in effect, means that extension developers have been securing their accounts using only an email address and password for most of the browser’s existence.

It’s a glaring security weakness Mozilla has belatedly decided to plug. Mozilla’s Caitlin Neiman wrote:

Starting in early 2020, extension developers will be required to have 2FA enabled on AMO. This is intended to help prevent malicious actors from taking control of legitimate add-ons and their users. 2FA will not be required for submissions that use AMO’s upload API.

24/7 threat hunting, detection, and response delivered by an expert team as a fully-managed service.
Learn More

Rogue extensions

Turning on better authentication is an inherently good idea but is there more to it than that? Extensions and add-ons can be used to target Firefox users in three ways:

  1. Criminals setting up legitimate accounts to spread rogue extensions.
  2. Criminals distributing rogue extensions from third-party sites and socially engineering Firefox users to install them.
  3. Legitimate developer accounts that get hacked to sneak malicious extensions into the official Firefox add-ons store.

The first of these has been a low-level issue since Mozilla moved from manual to a more automated review process in 2017 in an effort to speed up development. Rogues get pulled down quickly when the company detects them, but this is after the fact. The second has also been an occasional issue.

Perhaps mindful of similar incidents on Google’s Chrome store, Mozilla has finally ticked developer 2FA off its security to-do list.

So, a few weeks from now, logging into a developer account won’t be possible without 2FA – a big change for developers who perhaps don’t pay as much attention to their creations as they should.

That means they could, in theory, be locked out completely, which is why Mozilla recommends they print out recovery codes for such an eventuality.

2FA for everyone

More generally turning on 2FA for all your accounts that offer it is something everyone can do. Good security isn’t just something for developers.

If you’d like to learn more about two-factor authentication (2FA), we’ve got you covered:

  • All you need to know about 2FA
  • 2FA: Understanding the options

(Audio player above not working? Download or listen on Soundcloud.)

  • Follow @NakedSecurity on Twitter for the latest computer security news.

  • Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

Free tools

Sophos Firewall Home Edition

Boost your home network security.

Sophos Scan & Clean

Free second-opinion scanner for PCs.

Sophos Cloud Optix

Monitor 25 cloud assets for free.

Post navigation

Previous: Facebook employees’ payroll data nabbed in car smash-and-grab
Next: Researchers discover weakness in IoT digital certificates

One comment on “Mozilla mandates 2FA security for Firefox developers”

  1. Bryan says:
    December 17, 2019 at 6:48 pm

    > good move but also surprisingly late in the day
    Albeit not verbatim, my precise thoughts upon seeing the headline.

    Glad it’s coming; every little bit helps–thanks for the good news.

    Reply

What do you think? Cancel reply

Recommended reads

Feb07
by Paul Ducklin
2

VMWare user? Worried about “ESXi ransomware”? Check your patches now!

Jan17
by Paul Ducklin
10

Serious Security: Unravelling the LifeLock “hacked passwords” story

Feb08
by Paul Ducklin
7

OpenSSL fixes High Severity data-stealing bug – patch now!

  • About Naked Security
  • About Sophos
  • Send us a tip
  • Cookies
  • Privacy
  • Legal
  • Intercept X
  • Intercept X for Server
  • Intercept X for Mobile
  • XG Firewall
  • Sophos Email
  • Sophos Wireless
  • Managed Threat Response
  • Cloud Optix
  • Phish Threat
© 1997 - 2023 Sophos Ltd. All rights reserved. Powered by WordPress VIP