1600210 - Lockwise on Desktop unexpectedly retains saved passwords after signing out

Status: RESOLVED WORKSFORME

(Firefox :: Sync, enhancement, P3)

Description

[Ryan Kelly [:rfkelly]]

(This came out of a conversation with :mjkelly on slack, but the sentiment feels familiar from feedback from other users, so I wanted to make sure we had a bug on file to track it. Please dupe liberally if we're already tracking this somewhere.)

With our recent focus on the revamped lockwise and FxA experience, it's possible for users to have a "lack of felt security" experience like this:

1. Hear that we have a new password manager, and it syncs using your Firefox Account. Get excited to try it out.
2. Try it out by signing in on a new Firefox instance, and be pleased with the way it provides convenient access to your synced passwords from another device.
3. Sign out of the new Firefox instance, without really reading what appears to be a fairly standard "are you sure you want to sign out?" popup dialog.
4. Be surprised and alarmed to discover that your passwords, which you thought were securely stored behind your account, remain available unprotected in the now-signed-out Firefox Lockwise UI. Lose trust in Firefox's security properties.

This is currently on-purpose behaviour from Firefox Sync, which by default will leave all synced data on the device when you sign out. We used to offer a more elaborate dialog during the signout process, that prompted users whether they wanted to delete data from the local profile, but it proved to be confusing in several ways and so was replaced in Firefox 71.

The replacement dialog (step 3 above) does in fact warn the user that their data will be left on the device, but it's really very easy not to notice this. The experience feels very similar to other "are you sure you want to X?" dialogs that we're conditioned to just click through.

I don't really have a solution here, but I empathize with users who find this surprising and alarming. I think the mental model we're creating with Lockwise may result in a different set of expectations than we've been used to with Sync in the past. It's also different from the behaviour of the Lockwise mobile apps, which do not retain the passwords after signing out.

Comment 1

[Ana Medinac]

I saw this tweet the other day as well, the user signed out of their FxA Account on their device but realized that his passwords were still available on the Lockwise app: https://twitter.com/deadmavrick/status/1202656723661492224.

Comment 4

[Matthew N. [:MattN]]

Losing multi-select deletion of logins was raised by Janet as something which makes this issue worse. We are hoping to implement that in the next few weeks (bug 1208194).

Comment 5

[Matthew N. [:MattN]]

We may do bug 1613620 even sooner.

I still think bring back the option to delete data is important for the other data types and we had users want to delete bookmarks and logins at once. The Lockwise fixes are only mitigations for one data type.

Comment 7

[Darryl]

I used this feature when troubleshooting other's PCs, both work and friends, to have access to websites, software, and logins to assist in repairing devices. Imagine my horror and displeasure to find that all my passwords are retained on all the devices I have repaired, all because you guys could not, by default, block password access when not signed in. Wasn't that the whole point of building in the password manager? That was the purpose of having the FF account, not sign in once, and your data is available on the device forever upon signout. Instead of securing my passwords, you have allowed me to give them to everybody with no knowledge of doing so, believing my information is secure because I signed out. Instead, I have unwittingly participated in the compromising of my own data for identity theft purposes.

Comment 9

[Mark Hammond [:markh] [:mhammond]]

I'm going to close this because bug 1657463 landed, which gives the user the opportunity to delete all local data, including passwords, when disconnecting sync.