AMO and FxA 2FA Discussion
Date: December 5, 2018
Attendees: Jorge Villalobos, Stuart Colville, Mathieu Pillard, Andrew
Williamson, Vijay Budhram, Shane Tomlinson
*Background:*
AMO would like the ability to force 2FA for developer accounts. Users who
do not have 2FA
enabled are then able to enable 2FA as part of the login flow. FxA
currently shows an error message
if a relier forces 2FA and the user does not have it enabled. There is a
link to a SUMO article, but
no link to /settings to enable 2FA. Even if there was a link to /settings,
the user would
not be able to get back to the relier.
Smoothing out this flow to allow a user to add 2FA mid-login requires
significant effort on the
FxA side. We are trying to figure out some interim solutions that might get
us to a good enough
place.
*Background issues:*
-
Force 2FA at login for developers, behind a waffle
-
https://github.com/mozilla/addons-server/issues/10046
-
Allow users to set up 2FA/TOTP for reliers that pass acr_values=AAL2
-
https://github.com/mozilla/fxa-content-server/issues/6683
-
Provide a way for reliers to confirm a user's login state without
re-entering password
-
https://github.com/mozilla/fxa-content-server/issues/6661
*Questions & Comments:*
Could AMO send a list of emails and FxA sends an email to those users
asking them to enable 2FA?
- Idea is to send an email to the list of users explaining the new AMO
requirement and ask them to enable 2FA.
- User enables 2FA out of band so the next time they sign into AMO, they
are ready to go.
- Could use the existing settings panel w/o asking users to enable 2FA
inline.
-
Doesn’t solve the problem for developers who sign up after the email is
sent.
Instead of FxA sending the emails, could AMO send an email to the user w/ a
link to the FxA settings page?
- For either email approach, we'll want to track conversion rates.
- Emailing 10s of thousands of users prematurely wouldn’t be awesome.
Let’s find out more.
Setting up 2FA is time consuming and difficult
- “There are so many steps to setting up 2FA - Downloading their
recovery code might be problematic.”
- Setting up on mobile is difficult.
- AMO dev site doesn’t work well in mobile anyways.
Is it possible to present the user some UX on the AMO side saying it must
be enabled?
- Could we use the developer bar on AMO?
For the smoothest flow, we’d have to re-use the current screens and
integrate them into the login flow somehow.
- This requires extracting the 2FA screens from FxA's /settings page and
integrating them into the login flow.
- Significant effort, would need to be scheduled.
- Will require UX support and testing.
What is the schedule to force enable 2FA on AMO?
- Originally for this quarter, obviously it's too for that to happen.
For users without phones, we’d need to update the SUMO doc saying what to
do.
What does the "send an email asking the user to enable 2FA" approach look
like?
- The FxA team knows how to send out of band emails, we can turn those
around pretty quickly as long as we have copy.
- We’d want to work together to ensure the copy makes sense and doesn’t
scare AMO users away.
*Proposed path forward*
Use the send an email approach, iterate from there.
-
Send an email to AMO developers
- The AMO and FxA teams work together to develop email copy to send to
AMO developers.
- The AMO team passes a list of developer email addresses to the FxA
team.
- The FxA team sends the email, ensuring conversion rates are tracked.
- Target date: TBD
-
Show a banner on AMO
-
Develop inline UI to enable 2FA
-
First with the password
-
Then without the password
Stuart and Jorge, does this capture the essense of what we discussed and
decided?
Shane
_______________________________________________
Dev-fxacct mailing list
[email protected]
https://mail.mozilla.org/listinfo/dev-fxacct
