Optionally protect filling of saved logins with OS authentication (including biometrics)
Categories
(Toolkit :: Password Manager, enhancement, P2)
Tracking
()
People
(Reporter: gasolin, Assigned: ssachdev)
References
(Blocks 2 open bugs)
Details
(Whiteboard: [passwords:fill-ui] security:passwords [passwords:os-reauthentication][fxcm-os-auth])
Attachments
(1 file)
Form Autofill is a convenience feature https://support.mozilla.org/en-US/kb/control-whether-firefox-automatically-fills-forms With that convenience we may sacrifice security for certain critical sites (such as bank account, google login, steam account etc) if the user does not enable or the site does not provide 2 factor authentication. We have `master password` to make the process more secure by asking user type the master password before benifit from automatic fill. but it's not that convenient to use. By recent hardware improvements, middle end Notebook like 2016 Mackbook Pro (Touch ID) or many (> $1000) Windows Hello compatible devices already equipped fingerprint readers https://www.microsoft.com/en-us/windows/view-all-devices?type=WindowsHello which provide a more convinient and safer way to add the extra factor of protection. Eng tasks: * Integrate with Mac Touch ID (or Windows Hello / Linux PAM module) and provide API * Add a preference near master password to allow auth with FingerPrint. * Whenever the place master password should be shown, show FingerPrint/Touch ID dialog (and might allow fallback to master password) instead Here's the proposal https://docs.google.com/a/mozilla.com/document/d/12Uxw2p9oHF6DbQTkC3vovm0e0_8xda773DiKjNeQPyk/edit?usp=sharing
Reporter | ||
Comment 1•7 years ago
|
||
Hi Stephen, I checked the dev doc and found apple seems support utilize Touch ID for 3rd party application, does that correct? https://developer.apple.com/documentation/localauthentication
Comment 3•7 years ago
|
||
TouchID is already covered by bug 1342211.
Comment 4•4 years ago
|
||
I have a Windows laptop with a fingerprint sensor. Windows Hello support would be nice. I'd also like to point out that the fingerprint (or photo for Windows Hello) would provide a way to choose profiles.
Comment 5•4 years ago
|
||
Windows Hello supports the FIDO2 workflow and can be used with biometric cameras and USB security keys as well. It would be great, if this would all be covered by "Firefox asks Windows for authentication". Using a USB yubikey to unlock my password manager would be awesome.
Comment 6•4 years ago
•
|
||
(In reply to patrick.stalph from comment #5)
Windows Hello supports the FIDO2 workflow and can be used with biometric cameras and USB security keys as well. It would be great, if this would all be covered by "Firefox asks Windows for authentication". Using a USB yubikey to unlock my password manager would be awesome.
In tomorrow's Nightly build you will be able to use all of the Windows Hello methods (minus picture passwords which seem to be specific to the Windows login screen) to authenticate access to plaintext passwords (revealing/editing/copying) if Master Password is disabled. It won't affect the encryption but it will reduce casual snooping.
Comment 7•4 years ago
|
||
I'll keep this bug open to protect snooping via (auto) fill of saved logins.
Updated•3 years ago
|
Updated•2 years ago
|
Updated•3 months ago
|
Updated•3 months ago
|
Assignee | ||
Updated•3 months ago
|
Assignee | ||
Comment 10•2 months ago
|
||
Assignee | ||
Updated•2 months ago
|
Updated•24 minutes ago
|
Description
•