Mozilla is rolling out support for two-factor (or two-step) authentication for anyone who has a Firefox account. While the feature is not officially enabled within the Firefox account user settings yet, there’s a quick hack you can use to enable it and give it a try for yourself right now.
All you need to do is log in to your Firefox account and go to the settings (it should read accounts.firefox.com/settings). Add the string…
…right at the end of the URL (no space between “settings” and the question mark) and you’ll see the two-factor authentication option appear in your Firefox account settings, like this:
There is no SMS token available. SMS-based authentication tokens have been vulnerable to exploitation and interference from attackers in the past, so they are considered to be less secure and optimal than a time-based token. However, for many people they are much easier to use, so it will be interesting to see if the lack of SMS token availability hinders adoption of 2FA for Firefox accounts as it rolls out to the general public.
The idea behind having an account for your browser is that you can search and browse seamlessly from one device to another. All the tabs you have open on your phone while you’re on your daily commute will be open for you in your browser on your computer at home (or work, I won’t judge).
A browser account can also save stored login information across devices, so a private account you are logged in to on your computer will not require you to re-login on your phone – if you use the same browser across both those devices and are logged in to the browser’s account.
So if you do have a Firefox account, it’s likely that its set up to save passwords and a whole host of other sensitive data. It is especially crucial to protect that kind of data cache, which is why Firefox is introducing 2FA for its account users. We urge you to enable it as soon as you can.
This way, if someone tries to log in to your Firefox account from a new device and happens to know (or guess) your password, they cannot get access to your account logins or browsing sessions without access to your second authentication factor, which in this case is a time-based token generated on an app on your phone.