On Wed, Jun 8, 2016 at 6:59 PM, Ryan Kelly <[email protected]> wrote:
> > Hi All, > > > (This was a shower thought that I wanted to write down while it was in > my head - comments welcome, but no action required.) > > In previous discussions of adding two-factor auth to FxA, we've > struggled with the issue of backwards-compatibility for API consumers > that don't know how to do 2FA. > > The standard solution here is to let the user generate one-time-use > "application passwords" that can be entered into legacy systems. For > example, this is how you can login to gmail in thunderbird if you have > 2FA enabled: > > https://support.google.com/accounts/answer/185833?hl=en > > Things aren't so simple for us, because the password in FxA does > double-duty as a source of entropy for your encryption key. Is the idea to allow app PWs that allow access to kB? I started questioning some parts of your method, and intended to urge you not to allow non-main-PW access to kB, before realizing this was your goal. Am I correct? Nick
_______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
