About Firefox Accounts

Firefox Accounts is the account system that provides access to services run by Mozilla and select partners.

A user can sign in with a Firefox Account to any of her "Foxes" - Firefox on Desktop, Firefox for Android, and Firefox OS - to access integrated services such as Firefox Sync and Firefox Marketplace. She can also sign in to services on the web using a standard OAuth flow.

Longer term we envision that non-Mozilla services and applications will be able to delegate authentication to Firefox Accounts while managing their own data.

For information on integrating a service with Firefox Accounts, visit the Firefox Accounts portal on MDN.

For information on contributing to Firefox Accounts development, visit the developer documentation.

FAQ

Am I required to create a Firefox Account to use Firefox?

No. A Firefox Account is only required for Mozilla Services that require authentication, such as Firefox Sync and advanced features on Firefox Marketplace like purchasing paid apps, adding app reviews etc.

Why does Firefox Accounts require me to choose a password?

One of the primary services that uses Firefox Accounts is Firefox Sync, which encrypts all your data client-side before submitting it to the server. The password is used to securely derive an encryption key.

What information does Firefox Accounts store about the user?

https://developer.mozilla.org/en-US/Firefox_Accounts#Firefox_Accounts_user_data

Can I use Firefox Accounts to store user data for my application or service?

In general no.

Firefox Accounts only stores information that will deliver significant user value across applications or is tightly related to the user's identity. It will not store user data for relying services. Relying Mozilla services can use Firefox Accounts for authentication, but application data storage is the responsibility of the individual applications.

What's the difference between Persona and Firefox Accounts?

Persona is a general-purpose federated login protocol for the web. It is not intended to provide you with a new account, and it's not a new account system. It's intended that you can use Persona to log in to relying sites without first "signing up" for Persona, but rather using an existing account with a Persona-enabled Identity Provider.

One confusing point about Persona today is a service called the "Persona Fallback", which serves as a proxy Identity Provider if your actual IdP doesn't support Persona (or isn't bridged), which just about every IdP except for Google and Yahoo. In this case, you currently have to sign up for a "Persona Fallback Account" (i.e. choose a password and verify your email) to use Persona.

But a Persona Fallback Account is not a Persona Account, it's not part of the long term vision of Persona, and that's not supposed to be the happy path of the Persona login experience. And it's definitely not a Firefox Account.

Independently of Persona, Mozilla needs an account database to deliver a fantastic, integrated experience across all its products and on all the user's devices. Unfortunately, delivering awesome services involves some less exciting, but still important aspects, like making sure users have had a chance to inspect our terms of service and privacy policies. We must also comply with local laws and regulations, e.g., COPPA. It would be inconvenient for users to have to verify a terms of service, a privacy policy, and COPPA at each individual Mozilla service. We believe that users should only have to inspect our terms of service, privacy policy, and go through COPPA verification once for all our services.

We also need more than just a login sysem, e.g. Firefox Sync requires the ability to derive an encryption key to protect the user's data. Firefox Accounts enables us to do that without adding all those complications to the simple-and-effected Persona protocol.

Can I use Persona to log in to my Firefox Account?

No.

Can I use my Firefox Account to log in to non-Mozilla services?

Not initially, but it's something we'd like to support in the future.

Does Firefox Accounts provide email?

No.

Is it possible to host your own Firefox Accounts service, like with Firefox Sync?

Yes.

Architecture

https://mana.mozilla.org/wiki/display/services/Firefox+Accounts+Architecture

Cloud Services

Firefox Accounts Cloud Services is composed of several sub-services, including an auth server and a content server.

Auth Server

The Auth Server provides an HTTP API that:

• authenticates the user
• enables the user to authenticate to other services via BrowserID assertions
• enables change and reset password operations

Links:

• Code: https://github.com/mozilla/fxa-auth-server
• API documentation: https://github.com/mozilla/fxa-auth-server/blob/master/docs/api.md
• Dev deployment: https://github.com/mozilla/fxa-auth-server#dev-deployment
• Python API client (primarily a reference client): https://github.com/warner/picl-spec-crypto

OAuth Server

The OAuth Server provides an HTTP API that:

• accepts BrowserID assertions from the auth-server as authentication
• implements a standard OAuth2 token-granting flow

Links:

• Code: https://github.com/mozilla/fxa-oauth-server
• API documentation: https://github.com/mozilla/fxa-oauth-server/blob/master/docs/api.md

Content Server

The Content Server hosts static assets (HTML, Javascript, CSS, etc.) that support user interactions with the Firefox Accounts. The responsibilities of the Content Server include:

• hosting a Javascript library that supports interactions with the Auth Server
• hosting login and create account pages
• hosting password reset pages
• hosting landing pages for email verification links
• hosting UI pages for the OAuth login flow

Links:

• Code: https://github.com/mozilla/fxa-content-server
• Deployments:
  • dev stable: https://accounts.dev.lcip.org/
  • dev latest: https://accounts-latest.dev.lcip.org/
  • prod: https://accounts.firefox.com/

Interaction with the Firefox Accounts authentication and OAuth APIs are is done via a Javascript client library. In addition to communicating with the backend servers, it also performs local key stretching (PBKDF2 and scrypt) on the user's password before it's used in the API. It is hosted by the Content Server. This library was at one time called "Gherkin".

Links:

• Code: https://github.com/mozilla/fxa-js-client
• Key stretching details: https://wiki.mozilla.org/Identity/AttachedServices/KeyServerProtocol#Client-Side_Key_Stretching
• Key stretching performance tests: https://wiki.mozilla.org/Identity/AttachedServices/Key_Stretching_Performance_Tests

Verifier

FxA enables clients to generate BrowserID assertions on behalf of the user. FxA provides a hosted verifier for verifying these assertions.

• Verifier server code: https://github.com/mozilla/browserid-verifier
• Verifier library: https://github.com/mozilla/browserid-local-verify
• Production deployment: https://verifier.accounts.firefox.com/v2

Customs Server

FxA uses the Customs Server to detect and mitigate fraud & abuse.

Links:

• Code: https://github.com/mozilla/fxa-customs-server
• Deployment: currently pulled in by the auth server as an npm dependency

Deployments

https://developer.mozilla.org/en-US/Firefox_Accounts#Firefox_Accounts_deployments

Metrics

https://wiki.mozilla.org/Identity/Firefox_Accounts/Minimum_Viable_Metrics

Fraud and Abuse

• General Fraud and abuse detection/migitation
• Account lockout feature

Resources

• Meeting Notes Archive

Mailing Lists

• Firefox Accounts development: https://mail.mozilla.org/listinfo/dev-fxacct
• Sync development: https://mail.mozilla.org/listinfo/sync-dev

Team

• Leads: Chris Karlof, Ryan Kelly
• IRC: #fxa
• List: dev-fxacct@mozilla.org
• Engineering: Danny Coates, Shane Tomlinson, Sean McArthur, Vlad Filippov, Phil Booth, Vijay Budhram
• UX: Ryan Feeley
• Metrics: Katie Parlante
• QA: John Morrison, Peter deHaan, Karl Thiessen
• DevOps: Chris Kolosiwsky

Testing

• Testing notes
• Test plans

Related

• Identity Roadmap
• Firefox Sync.next
• Identity and PiCL
• FxA UX/UI
• QA Team Test Plan
• What Does Firefox Accounts Mean To You?