Closed Bug 1600212 Opened 5 years ago Closed 7 months ago

[meta] Stop surprising users by deleting their sync data on password reset

Categories

(Cloud Services :: Server: Firefox Accounts, enhancement)

enhancement
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: rfkelly, Assigned: vzare)

References

(Blocks 1 open bug)

Details

(Keywords: meta)

Firefox Sync client-side encrypts all your browser data before uploading it to the Mozilla servers. This is an important differentiating feature relative to other browser sync systems, but it comes with one pretty bad failure mode: users who forget their Firefox Account password are unable to retrieve their sync data, and resetting the Firefox Account password wipes stored sync data from the servers.

The result is users who are surprised/disappointed/angry that Mozilla didn't safely hold on to their browser data when they expected that we would.

We should do a better job of making our system match user expectations here. Partly that's about changing the system (e.g. building ways to reset the account password without losing the encryption key) and partly that's about changing user expectations (e.g. more clearly communicating the encryption model up-front). Let's use this bug as a meta for tracking efforts to improve this situation, while also giving us a concrete place to link to in future when users report losing their data in this way.

Some thoughts on things we could do here:

  • Improve the password-reset flow to help lead users to better outcomes
    • Do they have an existing device that's connected to sync? We could help them reset through that device and ensure their data is re-uploaded to the server. Perhaps one day that device might be able to help keep the same encryption key while resetting the password
    • Change the wording or add extra confirmation steps or something to make it clearer what's about to happen if they do reset their password; we've had users in the past report that they would have tried harder to remember it if they understood it would destroy their sync data.
  • Improve sync onboarding to set clearer user expectations
    • We could make a bigger deal out of advertising the encrypted properties of Sync during the setup process.
    • We could send an onboarding email that helps explain it in more detail.
    • We could prompt them to set up a recovery key as part of setting up sync.
    • Maybe we can prompt for the password again a few days after setting up sync, to help the user ensure they remember it?
  • Actually change the way the crypto works:
    • Some users would be just fine with Mozilla being able to access their browser data, if it mean we could provide them with a reliable backup. Maybe we should figure out how to give them that choice.

Alex, I'm sure you've got some works in progress on this front, would you be happy to link them from here for context?

I'm going to add user reports about this kind of data loss in the "see also" field for context.

Here's a small selection of bugs reporting this problem I found in just a few minutes - there will be many more, but this is enough to get a feel for things.

Just to start, I actually have in our roadmap a desire to tackle password resets more thoroughly this year. We've taken a good crack at it this year but there's still so much room for improvement.

Last year, we landed account recovery keys but never pushed them to mass adoption. We are currently working on that.

Things we've done this year:

  • We've deployed the first version of device pairing
  • We don't require a password to sign in to more services on the same device.
  • During registration, while picking a password, we explain how important it is to remember it since it will be used to encrypt data and a reset may cause data loss
  • In the next few weeks, we will be asking new users to download account recovery keys immediately after registration.

Planned:

  • We've taken the first steps to also ask our existing users to download their recovery key after a successful login.
  • Reaching out to our existing desktop users via our Account Toolbar menu to download/print their recovery key
  • More pairing work (reverse pairing flow)

I'd also like to explore being smarter about a few things like:

  • not making people worry during reset if they don't use Sync
  • minimize the impact by telling them about other devices still connected to Sync and encouraging changes them to do their password change there
  • Making it more clear that users need to sign back in to all of their devices after a reset so that data gets re-uploaded.
  • investigate if the current password is needed for a password change. (rather than forcing to sign out, doing a reset flow and logging back in)
  • avoiding disconnecting devices after a reset. (rather than disconnecting all, perhaps we could show which devices are connected and give them the choice)

Bigger unknowns to explore:

  • Using OS keyring to store backup of encryption-keys (I think Firefox might support this better now).
  • If we should change the way we do our crypto all around so people can recover.
  • I still wonder what role WebAuthn might play but I don't think it would provide much incremental value over the device pairing work we've already started.
  • Recovery friend(s)
  • Correcting password typos: https://www.cs.cornell.edu/~rahul/papers/pwtypos.pdf
  • Delegated recovery
  • Quizing people about their password (without feeling like phishing)

Here's a dashboard to track volume of password resets, their proportion vs logins, their proportion vs active users, the reset success rate, etc.
https://analytics.amplitude.com/mozilla-corp/dashboard/b3zeidj

My opinion is that, there's no doubt that it's easier for us to encrypt the data in a way that users can recover. However, there is still SOOOO MUCH work we can do to provide a better experience while maintaining our current level of data security.

Some example of how others with similar security models do account recovery:

They have quite a few more options than us.

See Also: → 1596997
See Also: → 1656673

I just lost ALL of my Bookmarks that I have gathered for years.

I wanted to sync profile on another device, forgot password, did password reset, then AFTER password was reset I got warning that all my data may be lost.

THIS IS UNACCEPTABLE!!!

User should get explicit warning that resetting password will also delete ALL user profile BEFORE password reset attempt.

Other web browsers use dedicated password for encrypting user data, so account password reset does not reset data.

Thank you Mozilla. Now I consider Firefox insecure by design :-(

Can I somehow obtain copy of my old data and try to restore it with old password?

I created an account to report this bug and I came to say that you destroyed my life with this problem that all my passwords and bookmarks were deleted!

Assignee: nobody → vzare

We do have warnings in place right now but they are not displayed in the most timely or prominent manner. We are rolling out a new design in the next few weeks to ensure that customers know exactly what will happen upon password reset and bring more overall clarity to the password reset flow.

Status: NEW → RESOLVED
Closed: 7 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.