Hey all! Vijay, Phil and I are in the final stages of developing a new feature called "signin confirmation."
Because Sync is such high value data, we want to be reasonably sure the only person that can access the user's Sync account is the user themselves. With signin confirmation, any time a user signs *in* to FxA for access to Sync, they must re-verify their email. Every. Time. This measure is a kind of 2FA without being full 2FA. Each sign in to FxA for access to Sync will act similar to a user who signs up for a new account. The user will see a new screen that says "For additional security, you must verify your email." They will receive a new email that has security messaging. Once they click the link in the email, the browser will start syncing. We have come to a point where the bulk of the heavy lifting is complete and we need to test in earnest. I have set up an AWS stack that can be used to test all the Foxes. https://confirm-signin.dev.lcip.org/ I have a handy user.js file that can be used for Firefox Desktop [1]. I am working on a test doc at [2], though this contains a lot of information you will be unable to test without a full local development stack. What we need help with: - Ensure you can sign up and in to Sync. Signing in will require an additional email verification. - Ensure the screens and emails you receive make sense. - Ensure Sync does not start until *after* you click the verification link in the email. - Ensure you can reset your password. - Ensure you can change your password. - Testing on Fennec and Fx for iOS. Any issues can be reported to me, or as Github issues in [3]. Thanks, Shane [1] - https://gist.github.com/shane-tomlinson/4b15926babda1804f43b70885d3dfa0d [2] - https://docs.google.com/document/d/1ztLvUs6fK6h2ump6FWBXw2-7CyXYcC39zd10t1VdDQc [3] - https://github.com/mozilla/fxa-content-server/issues/new
_______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
