How to create Firefox Account Recovery Keys
Firefox users who use a Firefox Account to sync data between devices and the cloud use a combination of a username and a password for authorization. Users may enable two-step authentication to improve security further.
The password is used to encrypt the data so that it is protected from any prying eyes. Even Mozilla, maker of Firefox and operator of the cloud storage where all the bits are stored, has no access to the data.
Considering that synced data may hold important and valuable information, such as account passwords, the browsing history or bookmarks, it is of utmost importance that only the owner of the data has access to it.
Firefox users who forgot the password up until now had no option to recover the data. While guessing might have worked for some to regain account access, most probably did not have luck using guesses.
Tip: you can check all Firefox Account connected devices and apps.
Firefox Accounts -- account recovery
Mozilla unveiled an addition to Firefox Accounts on September 27, 2018 that adds an account recovery option to the service.
Account Recovery generates a recovery key that Firefox Account owners may supply when they forget the account password and can't sign in to the account anymore because of that.
Recovery Keys work pretty much as you'd expect them to: you need to generate them on the Firefox Account website and store them in a safe location. You can use the recovery key when you run into login troubles to restore access to the account even without supplying the original account password.
The password gets reset and you may access the data once again after the operation to sync data between devices.
How to set up a recovery key
It takes only a couple of steps to create recovery keys for Firefox Accounts. Note that you can do so only if you can still access the Firefox Account website. While you can open the Firefox Account page without signing in again if you are signed in to the account in the browser, creation of a new recovery key requires that you re-enter the account password.
If you are signed out of all devices, however, there is no such option available anymore.
- Load about:preferences#sync in the Firefox web browser.
- Select "Manage Account" to open a new tab on the Firefox website that displays account related information.
- Or, visit https://accounts.firefox.com/ directly and sign in there.
- Select "Enable" next to Account Recovery on the page.
- Note: if you don't see the Account recovery option on the page yet add &showAccountRecovery to the address to make it visible.
- Click on the Generate button to generate a new account recovery key.
- Type the account password to confirm ownership. Without it, anyone with access to the browser could generate a recovery key.
- The recovery key is displayed on the screen. You can download it, print it, create a screen capture, memorize it, or copy and paste it.
Note: You will notice some changes the next time you access the Account Recovery options:
- The enable button has been replaced with a change button.
- The generate button is not available. You get a revoke button to delete the previously generated key.
A recovery key can only be used once. It expires automatically when it is used and it is necessary to generate a new recovery key if you want to use it as an account recovery option.
Closing Words
The generation of a recovery key for a Firefox Account is completely optional. Users who don't want to generate these keys don't have to do anything; those who like the idea of a safeguard can do so.
It is important to store the key in a safe location such as a password manager, safe, or in an encrypted container as anyone with access to it may gain full access to the Firefox Account data.
Not least syncMan also resets several configs that were preventing ff from autoSyncing after every single changed bookMark.
about:config?filter=services.sync.syncThreshold
about:config?filter=services.sync.globalScore
about:config?filter=services.sync.nextSync
Ah well .. Mozilla
Curiosity killed the cat.. ( again )
Having forgotten a previously devastating experience from accessing sync/manageAccount …
This time again upon login, the syncManager sort of creates a new token ( or what not )..
Thus killing the flawlessly working autoLogin of my ff44 on nonPersistent liveUsb.
Exactly the same happend around Two years ago, which then as now requires a remaster.
Moreover this time syncMan also demands an emailConfimation, in order to start syncin.
Lets see how that has to be workedAround .
Back to the “Recovery Key” scheme?? As was used in Weave/Sync v 1.1 which started in late Dec 2010 as Firefox 4.0 was in the Beta 8 stage. It killed backward compatibility with the Weave extension which was used with Firefox 3.0, 3.5, & 3.6, before it evolved into Sync as a standard feature for the Firefox 4.0 Release which came out on March 22, 2011. Really “screwed the pooch” for me with a EeePC Netbook which took me almost 6 months to get the right “flavor” of Linux that would work on that oddball computer and with Firefox 4.0 / actually 6.0 because Mozilla had taken Firefox into the Rapid Release scheme with a new version every 6 weeks by then. By then I was so disgusted that I had gave up on using Sync altogether. Then with Firefox 29 Australis came Sync v 1.5 that dropped that Recovery Key – hell users never saved that Key and lost all their data when they really needed it because that couldn’t read about how important that “Key” was to recover their data. Sync v 1.5 just created another obstacle for user who “didn’t or couldn’t read” about what would happen when they changed their Sync account Password, and their data was wiped from the Sync server due to the encryption scheme. This new scheme with adding the Recovery Key (back) may turn out to be helpful to some or a few users, but it ain’t gonna fix “dumb”; and IMO that is an affliction that too many computer users suffer from. A “communication device” that they spend little to no time learning to use. If the user didn’t print the code as suggested in Firefox 4.0 thru Firefox 29.0 as was suggested when they signed up for Sync, I wonder how many will do that now and be able to use this “retro feature”?
I hope it’s not possible to reset the password through secondary mail. Otherwise, 2FA is moot.
Re : corporate Mozilla. A new, nice example of them harassing other companies because they don’t care enough for privacy :
https://blog.mozilla.org/blog/2018/09/27/25000-americans-urge-venmo-to-update-their-privacy-settings/
That’s the beauty of being on the Left : you can be a big corporation, and still play the “community organiser”, be an “activist”, call for street rallies and bully other corporations — all in the name of the greater good, of course. Meanwhile, Firefox is absolutely sterling, privacy-wise.
How much did that Ipsos poll cost ? What personal data from Firefox users was sold in order to pay for that poll ? How many long-neglected bugs, or missing features, could have been fixed with that money ?
Speaking of Mozilla related nonsense, I was wondering if anyone has got a more comprehensive list of Mozilla owned domains through which they distribute malware. I found this list on a reddit post:
0.0.0.0 activations.cdn.mozilla.net
0.0.0.0 aus5.mozilla.org
0.0.0.0 crash-stats.mozilla.com
0.0.0.0 detectportal.firefox.com
0.0.0.0 experiments.mozilla.org
0.0.0.0 fhr.cdn.mozilla.net
0.0.0.0 getpocket.cdn.mozilla.net
0.0.0.0 incoming.telemetry.mozilla.org
0.0.0.0 input.mozilla.org
0.0.0.0 install.mozilla.org
0.0.0.0 onyx_tiles.stage.mozaws.net
0.0.0.0 qsurvey.mozilla.com
0.0.0.0 search.services.mozilla.com
0.0.0.0 self-repair.mozilla.org
0.0.0.0 telemetry.mozilla.org
0.0.0.0 telemetry-experiment.cdn.mozilla.net
0.0.0.0 tiles.services.mozilla.com
0.0.0.0 token.services.mozilla.com
By the looks of it version 63 of Firefox is going to be apocalyptic, and it has already been well proven that in-browser available configuration should not be trusted at all, so the next best thing would be to block these in my hosts file and router.
@Yuliya
Oh, dear friend, I think you miss versioncheck.addons.mozilla.org, there are many many *malware* there.
You take care, goobye.