On 9/06/2016 12:29, Nicholas Alexander wrote:
>
>
> On Wed, Jun 8, 2016 at 6:59 PM, Ryan Kelly <[email protected]
> <mailto:[email protected]>> wrote:
>
>
> Hi All,
>
>
> (This was a shower thought that I wanted to write down while it was in
> my head - comments welcome, but no action required.)
>
> In previous discussions of adding two-factor auth to FxA, we've
> struggled with the issue of backwards-compatibility for API consumers
> that don't know how to do 2FA.
>
> The standard solution here is to let the user generate one-time-use
> "application passwords" that can be entered into legacy systems. For
> example, this is how you can login to gmail in thunderbird if you have
> 2FA enabled:
>
> https://support.google.com/accounts/answer/185833?hl=en
>
> Things aren't so simple for us, because the password in FxA does
> double-duty as a source of entropy for your encryption key.
>
>
> Is the idea to allow app PWs that allow access to kB? I started
> questioning some parts of your method, and intended to urge you not to
> allow non-main-PW access to kB, before realizing this was your goal. Am
> I correct?
Yes, IIRC every single one of our legacy applications would require
access to kB in order to function correctly. Things that don't need kB,
are using OAuth and/or web content to login, and so we have more
flexibility in shielding them from complexities here.
I'm interested to hear your take on the cons of doing that.
Cheers,
Ryan
_______________________________________________
Dev-fxacct mailing list
[email protected]
https://mail.mozilla.org/listinfo/dev-fxacct
