1466712 - Enable 2FA via Email or TOTP for Developer Accounts

Status: RESOLVED WONTFIX

(addons.mozilla.org :: Security, enhancement)

Description

[Alex Davis [:adavis]]

**Context**
Chrome extension developer accounts were compromised in 2017 resulting in malicious addons being pushed to Chrome users. This could have been prevented by 2FA.

https://arstechnica.com/information-technology/2017/08/after-phishing-attacks-chrome-extensions-push-adware-to-millions/

**Firefox Accounts**

Since Q1, FxA has the capability to require certain logins to go through a verification loop.

This verification loop can be done by email where the user has to enter the codes we emailed them. ( See Bug 1432189 )

Alternatively, as of this week, for increased security, it is possible to force users to enable 2FA via TOTP. For example, this will be forced for IAM team's integration of FxA into Auth0.

**Description**
Enable at a minimum email confirmation loops for developer accounts.

If desired, force developers to turn on TOTP. (increased friction over checking an email due to effort to setup)

Comment 1

[Andrew Williamson [:eviljeff]]

While I can see the security angle of this bug, we only keep this component alive for bugs we need to keep confidential/restricted and I don't believe that's the case here.  It's best to file bugs/issues related to AMO in our umbrella repo: https://github.com/mozilla/addons/issues/

Comment 2

[Alex Davis [:adavis]]

Moved to:
https://github.com/mozilla/addons/issues/732

Comment 3

[Daniel Veditz [:dveditz]]

"wontfix" sends the wrong message here, but there doesn't seem to be an appropriate resolution choice here. I think there used to be a MOVED resolution :-(