Mozilla will enforce two-factor authentication for Extension Developers
Firefox extension developers need to set up their accounts to support two-factor authentication (2FA) in early 2020 as this is a new requirement that Mozilla has just announced.
Mozilla's reasoning behind the decision is simple: prevent that attackers manage to obtain username and password of extension developers to manipulate the extensions that are offered on Mozilla AMO.
The organization dropped its "Review first - Publish later" model in 2017 in order to deliver updates and new add-on releases faster. While extensions may get reviewed manually after the fact (after publication), there is a time gap between making it available to users and the review; this could allow malicious actors to push unwanted or malicious content to users in form of add-ons if the automated systems that are in place can be bypassed.
Starting in early 2020, extension developers will be required to have 2FA enabled on AMO. This is intended to help prevent malicious actors from taking control of legitimate add-ons and their users.
The extra layer of security that Mozilla requires from extension developers won't be required for accounts that use the upload API of AMO.
Regular users who maintain accounts on AMO are not required to enable 2FA for their accounts as well. While Mozilla does recommend setting up 2FA for all Firefox accounts, it is not a requirement at this point.
Tip: check out our guide on enabling two-factor authentication in Firefox here.
Once the requirement goes live, developers are asked to enable 2FA for their accounts when they are making changes to their add-ons.
Before this requirement goes into effect, we’ll be working closely with the Firefox Accounts team to make sure the 2FA setup and login experience on AMO is as smooth as possible. Once this requirement goes into effect, developers will be prompted to enable 2FA when making changes to their add-ons.
The new Two-Factor Authentication requirement won't impact extensions that are already available. These remain available, it appears while developers need to set up 2FA for accounts if they plan to make changes to their add-ons. It is unclear if this will also be required for new add-ons that get released on AMO.
The extra layer should protect against the majority of supply chain attacks. As is the case with all two-factor authentication options, it is important to keep recovery codes at hand. If an extension developer loses access to the 2FA device and recovery codes, it is possible that this can lead to a permanent loss of access.
Now You: What is your take on the new requirement?Advertisement