Closed Bug 1500679 Opened 7 years ago Closed 7 years ago

I need my Firefox Sync two-factor login recovery codes more secure

Categories

(Cloud Services :: Server: Firefox Accounts, defect)

Product:
Cloud Services
Component:
Server: Firefox Accounts
Version:
62 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: thomasjamesseymour, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0 Firefox for Android Steps to reproduce: I looked at my eight recovery codes for the two-factor authentication I have enabled on my Firefox Sync account and find them too easy for a computer program to guess even in just one attempt. Actual results: Eight-character alphanumeric codes aren't secure enough for me, since my passwords to websites, bookmarks to my private pictures and videos, and addresses of my home and that of my family, immediate and extended, are on my Firefox Sync account. Expected results: I think eight alphanumeric codes with sixteen characters is good. For example: 1. R83S-L2O9-2S41-F5AA 2. DYW3-6D2Y-2ETT-N6Q2 3. L9BE-2WZK-RMS7-A6VR 4. F5YB-5D26-D2JR-1T4Y 5. QDB4-A2T5-3FT5-D5E2 6. 46TE-3RFG-TGR3-57EW 7. E274-H6EA-53EC-4F31 8. IHPO-3CVW-GYE6-JW2L
Group: firefox-core-security
Component: Untriaged → Sync
Component: Sync → Server: Firefox Accounts
Product: Firefox → Cloud Services
Thanks for the feedback! > Eight-character alphanumeric codes aren't secure enough for me IIRC they should be 10 characters, could you please double-check whether they were 8 or 10 characters for you? > find them too easy for a computer program to guess even in just one attempt. I'm not clear on what you mean by "easy to guess in just one attempt" here. With 8 codes, each 10-characters long taken from a 32-character alphabet, there's a 1 in (32**10 / 8 = 40737488355328) chance of correctly guessing a recovery code for your account on any one attempt. (And someone could only start making those guesses after first correctly guessing your account password). As a point of comparison, Google's 2FA recovery codes are 8 numeric digits.
Flags: needinfo?(thomasjamesseymour)
Everything you said makes sense. And yes, I did mean 10 characters instead of eight.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Flags: needinfo?(thomasjamesseymour)
Resolution: --- → WORKSFORME
> And yes, I did mean 10 characters instead of eight. Thanks for taking the time to confirm.
You need to log in before you can comment on or make changes to this bug.