Hi All,
It's been a pretty exciting Q2 2015 for Firefox Accounts. Here's a
recap of some of the highlights from the quarter:
* We welcomed several new contributors to the project, including three
interns, two volunteer contributors, and a new hire. We're very excited
to have you all as part of this effort!
* We integrated Pocket as our first third-party relier, and the release
went completely smoothly and to schedule. No mean feat for what was a
fairly last-minute ask from the product team.
* Driven by the Pocket integration, we made a bunch of general-purpose
improvements to our OAuth infrastructure, including:
* an interstitial permissions prompt for untrusted reliers
* the ability to intelligently choose between "signup" and "signin"
* better hinting of what account to use during the login flow
* the ability for reliers to control verification redirect behaviour
* signalling whether the signin was a new or existing account
* We helped the Hello team add encryption to their room context
information, by ensuring that OAuth signin in the browser can reliably
obtain encryption keys from the account.
* We shipped an engagement email opt-in integration, which I'm told has
produced at least a five-fold increase in the number of daily
subscriptions to the "Firefox and You" newsletter.
* We launched an comprehensive client-side-metrics effort with
visualizations driven by DataDog, and learned a number of surprising
facts about how users engage with our web content in the real world.
It's given us a lot of things to dig into going forward, like:
* surprisingly many users click "resend email" after signing up
* surprisingly few users get a slick passwordless login experience
* a surprisingly high percentage of logins involve a password reset
* We improved login state consistency between the browser and the web,
by sending messages to the browser when the user makes changes to their
account.
* We improved security and usability of the self-service OAuth
credentials console, by ensuring users can only access details for
clients that they own.
* We moved password-checking out of the web process and into a stored
procedure on the database, as an extra layer of security against server
breaches.
* We removed a *ton* of legacy crypto code from the auth server,
replacing it with a small, simple, and well-maintained core of just the
functionality we need.
* We developed a minimal working prototype for federated partner login
to your Firefox Account, and a clear roadmap to a demo-quality release
for a partner by the end of July.
* We made a bunch of UI improvements for viewing and interacting with
our content on mobile platforms, in support of the upcoming Firefox for
iOS release.
* We laid all the groundwork to allow sign-in to sync from an iframe
in web content, which will produce a much-improved first-run experience
for Firefox 40:
* patches to desktop Firefox to coordinate the login
* a new "chromeless" style for embedding in the first-run flow
* security tweaks to ensure safe iframeability
* We shipped profile images to general release, and landed code to show
them in the desktop Firefox UI when you're signed in to sync (coming
soon to a Nightly release near you).
* We implemented "refresh tokens", an OAuth2 feature that will improve
security of our connected services by making tokens short-lived by default.
* As of the release train currently in stage, we will send you emails to
confirm when important events occur on your account, such as password
resets or the connection of a new device.
* And every bit as important as all that: we continued paying down
technical debt, refactoring suboptimal abstractions, and improving our
test infrastructure to ensure we can keep shipping at pace well into the
future.
Thank-you to everyone involved. I'm proud to be shipping quality code
with this great team, and I'm excited to see what challenges and
opportunities the rest of the year will bring.
Cheers,
Ryan
_______________________________________________
Dev-fxacct mailing list
[email protected]
https://mail.mozilla.org/listinfo/dev-fxacct
