Closed Bug 1500618 Opened 6 years ago Closed 6 years ago

Login with Mozilla password on auth0.com requested

Categories

(Infrastructure & Operations :: Multi-Factor Authentication, task)

Product:
Infrastructure & Operations
Component:
Multi-Factor Authentication
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: BenB, Assigned: kang)

Details

Reproduction: 1. Phabricator - Go to <https://phabricator.services.mozilla.com/D9000> 2. Lando - Click on "View on Lando" 3. Login - Click on "Login" Actual result: auth0.com asks me for my Mozilla LDAP password Expected result: I should *never* *ever* enter my valuable Mozilla password (guarding security bugs, hg commit, binaries etc.) at a third party website. Importance: There is one true and only way to prevent phishing: Check the domain part of the website, and never enter the password unless it's the main domain of the company/org that holds the account. Not login-paypal.com, not givemeyourpassword.com, not auth.com, not auth0.com. Only mozilla.com and mozilla.org, or subdomains of that, but never other domains. That's the one and only thing we need to drum into people to prevent phishing attacks. That's very hard to get into people. And here you are training people of the exact opposite. :-( That other domains are legitimate. Let me quickly set up only1auth.com ...
auth0 just recently started supporting custom domains for integration: https://auth0.com/docs/custom-domains and we have registered a subdomain of mozilla to start moving sites to, but I'm not sure where phab/lando are in the process. [:kang] do you know? In the meantime; definitely use a password manager to help remove the risk of 'entering your Mozilla password' on a non-mozilla site.
Assignee: nobody → gdestuynder
Severity: major → normal
Status: NEW → ASSIGNED
Flags: needinfo?(gdestuynder)
> definitely use a password manager Password manager is not relevant, because here I'm required to enter my most valuable password at a non-mozilla site. The problem is training users to do something dangerous that we wanted to train them to never do. It's not a technical problem. I'm glad that there's a solution, and that you want to roll it out. Thank you!
Hi, the current domains used to login are *.mozilla.auth0.com (auth.mozilla.auth0.com in particular). These are trusted domains for the current authentication system. We will be moving to a mozilla.org domain in the near future, though this require a lot of changes and notifications (partially due to what you mentions: many of our users have memorized the current domain as the one to be trusted). This is currently tracked outside Bugzilla. Note: I would recommend that you use a password manager which auto-fills your password - that way you can be confident that the password will be filled in for the same domain every time you use it (if it does not auto-fill, it means this might be a phishing link). I will close this bug in the mean time as we're tracking this elsewhere Thanks!
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Flags: needinfo?(gdestuynder)
Resolution: --- → WORKSFORME
> the current domains used to login are *.mozilla.auth0.com That's the bug here, yes. > These are trusted domains for the current authentication system. They are not trusted for a user (developer). I have no way to know that you consider auth0.com trusted, but auth1.com is not trusted. As a browser security community, we are spending a lot of time educating end users that they should *NEVER* *EVER* enter their password on other domains. Even if they look legit. That's the *only* way to counter phishing, spear-phishing and social engineering: A hard rule to never ever do that. Because good attacks always look legit. You are basically doing social engineering to train users to do unsafe things. The next successful phishing attack is on you. > I will close this bug in the mean time as we're tracking this elsewhere Please track it here, and please fix this soon.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
While you're not wrong, and this isn't _quite_ a "worskforme" kind of situation, we're well aware that we're in a transition period here, and have communicated that at great length to our staff and community. As Guillaume says, we're tracking this issue elsewhere, and this bug is going to stay closed to remove any ambiguity about the status of this issue going forward. Like Jeff, I strongly encourage you to use a password manager in the interim. Thank you.
Status: REOPENED → RESOLVED
Closed: 6 years ago6 years ago
Resolution: --- → WORKSFORME
> I strongly encourage you to use a password manager in the interim. This bug isn't about me. It's about your users. But fine, as you wish.
You need to log in before you can comment on or make changes to this bug.