MozillaWiki

IAM/Frequently asked questions: Difference between revisions

Page Discussion

IAM/Frequently asked questions (view source)

Revision as of 08:16, 26 May 2023

6,834 bytes added ,  26 May 2023
→‎Q: Why do you support email login ("passwordless") if it's less safe than other methods?: Conjugate properly a verb
(Add New login experience FAQ)
 
(8 intermediate revisions by 4 users not shown)
Line 13: Line 13:
==== '''Q''': ''How do I login with Mozilla IAM?'' ====
==== '''Q''': ''How do I login with Mozilla IAM?'' ====


Mozilla IAM supports various login methods, such as "LDAP" (Staff logins), GitHub social login, Google social login and email login (which we call "passwordless").
Mozilla IAM supports various login methods, such as "LDAP" (Staff logins), Firefox Accounts login, GitHub social login, Google social login and email login (which we call "passwordless").
Certain methods support and enforce the use of two-factor authentication (2FA) and may grant access to more sensitive services.
Certain methods support and enforce the use of two-factor authentication (2FA) and may grant access to more sensitive services.


==== '''Q''': ''Why is my login failing with an error message telling me to use "GitHub/Google/LDAP/etc" instead?'' ====
==== '''Q''': ''Why is my login failing with an error message telling me to use "Firefox Accounts/GitHub/Google/LDAP/etc" instead?'' ====


If your login (your primary email address used by Mozilla IAM) matches an existing account which provides higher
If your login (your primary email address used by Mozilla IAM) matches an existing account which provides higher
Line 27: Line 27:


Sometimes all you want to do is post a comment on a public forum. For that, we often need to provide a valid identity, but we also want to make it as easy as possible for you to contribute.
Sometimes all you want to do is post a comment on a public forum. For that, we often need to provide a valid identity, but we also want to make it as easy as possible for you to contribute.
Email login ("passwordless") is our current solution for this use case. Some applications we provide may not provide this login method, for example when the application require more secure methods.
Email login ("passwordless") is our current solution for this use case. Some applications we provide may not provide this login method, for example when the application requires more secure methods.


==== '''Q''': ''I would like access to specific groups, such as the NDA group, but it requires me to use a different login method, why?'' ====
==== '''Q''': ''I would like access to specific groups, such as the NDA group, but it requires me to use a different login method, why?'' ====


We only allow login, or authentication methods that can verifiably require two-factor authentication (2FA) in order to join any group that may grant you access to data that is not public, such as what we call [https://wiki.mozilla.org/Security/Data_Classification STAFF CONFIDENTIAL data].
We only allow login, or authentication methods that can verifiably require two-factor authentication (2FA) in order to join any group that may grant you access to data that is not public, such as what we call [https://wiki.mozilla.org/Security/Data_Classification STAFF CONFIDENTIAL data].
At the time of writing, only LDAP, Google accounts that use our LDAP backend (i.e. '''not''' '@gmail.com' accounts) and GitHub account support this functionality.
At the time of writing, only LDAP, Google accounts that use our LDAP backend (i.e. '''not''' '@gmail.com' accounts), Firefox accounts and GitHub accounts support this functionality.


Example: you could get a GitHub account with two-factor authentication enabled. Here's some documentation on how to do this: https://help.github.com/articles/about-two-factor-authentication/
Example: you could get a GitHub account with two-factor authentication enabled. Here's some documentation on how to do this: https://help.github.com/articles/about-two-factor-authentication/.
Firefox Accounts also supports two-factor-authentication: https://blog.mozilla.org/services/2018/05/22/two-step-authentication-in-firefox-accounts/.


If more authentication methods add support for this in the future and seem to be otherwise safe, we'll gladly allow them as well.
If more authentication methods add support for this in the future and seem to be otherwise safe, we'll gladly allow them as well.
Line 56: Line 57:


You can find a link to our public discussion board here: https://github.com/mozilla-iam/mozilla-iam/#discussion
You can find a link to our public discussion board here: https://github.com/mozilla-iam/mozilla-iam/#discussion
==== '''Q''': ''How do I create a Non-Staff Mozillians Account that will work for SSO ====
To be able to be added to access groups in Mozillians, your Mozillians account must be associated with a supported login identity.
A Mozillians account must be associated with one of the following login identities with multi-factor authentication enabled to be added to access groups.
Mozilla LDAP (required during set-up)
* Firefox Accounts
* GitHub
* Google
1. If you don't already have an account with a supported login identity, create one by following the instructions from the provider
2. Enable 2FA/MFA authentication
If you set up 2FA on GitHub then you '''must select GitHub''' when creating your Mozillians account. If you set up 2FA on you Firefox account then you must select Firefox when creating your Mozillians account.
If your email account is provided by Google we recommend setting up 2FA in your Google account settings. If you don't want to set up 2FA on your Google account itself you can still use this address to create a GitHub or Firefox Account with 2FA enabled.
==== Sign-up For Mozillians ====
To keep things simple, it is very important that when creating your Mozillians account you choose the login method that has 2FA/MFA associated with it. If you set up 2FA/MFA on GitHub or Firefox Accounts do not select Google when logging in.
    Go to mozillians.org
    Click on Log in / Sign up
    Select the identity type that has 2FA/MFA enabled. DO NOT type your email into the "Log In or Sign Up with email" box.
    Remember, if you set up 2FA on your GitHub account then you must select GitHub when creating your Mozillians account.
    Fill out the required fields and click the button to Complete Registration
    Note: content blockers, including Firefox's built in settings, may hide the captcha. Ensure all the required fields are visible to be able to complete registration.


==== '''Q''': ''How can I set up two-factor authentication (2FA) for my github account, using an app on my phone (Android/iOS/Blackberry)?'' ====
==== '''Q''': ''How can I set up two-factor authentication (2FA) for my github account, using an app on my phone (Android/iOS/Blackberry)?'' ====
Line 64: Line 98:
*For Android and iOS: Duo Mobile
*For Android and iOS: Duo Mobile
*For Windows Phone: Authenticator
*For Windows Phone: Authenticator
2.  In the upper-right corner of any github page, click your profile photo, then click Settings.
2.  In the upper-right corner of any GitHub page, click your profile photo, then click Settings.
   [[File:Github-settings.png|450px]]
   [[File:Github-settings.png|450px]]
3.  In the user settings sidebar, click Security.
3.  In the user settings sidebar, click Security.
Line 91: Line 125:
   [[File:Mozillians_-_add_identity.png|450px]]
   [[File:Mozillians_-_add_identity.png|450px]]
5.  Select “Log in with Github” option in next page.
5.  Select “Log in with Github” option in next page.
   [[File:Mozillians_-_verify_account.png|280px]]
   [[File:1_-_nlx.png|280px]]
6.  Click Authorize mozilla. If you’re logged in to github in the same browser, you can skip the next 2 steps.
6.  Click Authorize mozilla. If you’re logged in to github in the same browser, you can skip the next 2 steps.
   [[File:Mozillians_-_authorize_mozilla.png|300px]]
   [[File:Mozillians_-_authorize_mozilla.png|300px]]
Line 103: Line 137:
   [[File:Mozillians_-_github_login_identity.png|400px]]
   [[File:Mozillians_-_github_login_identity.png|400px]]
11. Trying to login with email to mozillians will return an error page, asking to login with github.
11. Trying to login with email to mozillians will return an error page, asking to login with github.
   [[File:Mozillians_-_forbidden_page_message_-_github.png|350px]]
   [[File:2-_error.png|350px]]


==== '''Q''': ''The email address I use to login to my mozillians account matches the primary email of my github account. How can I upgrade my mozillians account from passwordless to github?'' ====
==== '''Q''': ''The email address I use to login to my mozillians account matches the primary email of my github account. How can I upgrade my mozillians account from passwordless to github?'' ====
Line 109: Line 143:
1.  In the following steps we assume you have 2FA set for your github account. If not, see the steps from [https://wiki.mozilla.org/IAM/Frequently_asked_questions#Q:_How_can_I_set_up_two-factor_authentication_.282FA.29_for_my_github_account.3F here].<br>
1.  In the following steps we assume you have 2FA set for your github account. If not, see the steps from [https://wiki.mozilla.org/IAM/Frequently_asked_questions#Q:_How_can_I_set_up_two-factor_authentication_.282FA.29_for_my_github_account.3F here].<br>
2.  Navigate to mozillians page and click Log In/Sign Up button. <br>
2.  Navigate to mozillians page and click Log In/Sign Up button. <br>
3.  Select “Log in with Github” method from mozillians login page. <br>
3.  Select “Continue with Github” method from mozillians login page. <br>
   [[File:Mozillians_-_login_ways.png|350px]]
   [[File:3_-_moz_login.png|350px]]
4.  Enter Github credentials.
4.  Enter Github credentials.
   [[File:Mozillians_-_login_with_github_to_upgrade_account.png|350px]]
   [[File:Mozillians_-_login_with_github_to_upgrade_account.png|350px]]
Line 118: Line 152:
   [[File:Mozillians_-_upgrade_to_github.png|350px]]
   [[File:Mozillians_-_upgrade_to_github.png|350px]]
7.  Trying to login with email to mozillians will return an error page, asking to login with github.
7.  Trying to login with email to mozillians will return an error page, asking to login with github.
   [[File:Mozillians_-_forbidden_page_message_-_github.png|350px]]
   [[File:2-_error.png|350px]]
 
==== '''Q''': ''The email address I use to login to my Mozillians account matches the primary email of my Firefox Accounts account. How can I upgrade my Mozillians account from Passwordless to Firefox Accounts?'' ====
 
1.  In the following steps we assume you have 2FA set for your Firefox Accounts account. If not, see the steps from [https://blog.mozilla.org/services/2018/05/22/two-step-authentication-in-firefox-accounts/ here].
2.  Navigate to mozillians page and click Log In/Sign Up button.
3.  Select “Continue with Firefox” method from mozillians login page.
  [[File:3_-_moz_login.png|350px]]
4.  Enter Firefox Accounts credentials.
  [[File:5_-_fxa_login.png|350px]]
5.  Enter 2fa code from your application.
  [[File:9_-_fxa_2fa.png|300px]]
6.  Navigate to Settings -> Profile Identities section, and verify that Firefox Accounts is set as your login identity. That means this is the only account you can use from now on to login to mozillians.
  [[File:8_-_fxa_primary.png|350px]]
7.  Trying to login with email to Mozillians will return an error page, asking to login with Firefox Accounts.
  [[File:7_-_fxa_error.png|350px]]


==== '''Q''': ''How can I upgrade my mozillians account from passwordless to LDAP?'' ====
==== '''Q''': ''How can I upgrade my mozillians account from passwordless to LDAP?'' ====


1.  Login to mozillians with your email.<br>
1.  Login to mozillians with your email.<br>
  NOTE: If you are logged in to a Mozilla website or to gmail with your LDAP account in your browser, you will probably be prompted to directly login with LDAP, after clicking "Log In" button in mozillians. In that case, please follow the next 2 steps, in order to login with email.
  a. Click "Use a different account" link.
  [[File:Mozillians_-_use_a_different_account.png|300px]]
  b. Select "Login with email" option.
  [[File:Mozillians_-_login_options_available.png|300px]]
  c. Enter your email address and click "Send Email" button. Next, you will receive an email with the login link to mozillians.
  [[File:Mozillians_-_enter_email.png|300px]]
2.  Navigate to profile settings page.
2.  Navigate to profile settings page.
   [[File:Mozillians_-_go_to_settings.png|350px]]
   [[File:Mozillians_-_go_to_settings.png|350px]]
3.  Scroll down to “Profile Identities” section and click “Add Identity” button.
3.  Scroll down to “Profile Identities” section and click “Add Identity” button.
   [[File:Mozillians_-_add_identity_-_ldap.png|350px]]
   [[File:Mozillians_-_add_identity_-_ldap.png|350px]]
4.  Select "Log in with LDAP" in the next page.
4.  Enter your LDAP email in the "Log in with email" field and click "Enter" button.
   [[File:Mozillians_-_login_with_ldap.png|300px]]
   [[File:4_-_add_Ldap_identity.png|300px]]
5.  Enter your LDAP credentials and click "LOG IN" button.
5.  Enter your LDAP password and click "Enter" button.
   [[File:Mozillians_-enter_ldap_credentials.png|300px]]
   [[File:5_-_add_ldap_password.png|300px]]
6.  Enter 2fa code from your application and click "Log In" button.
6.  Enter 2fa code from your application and click "Log In" button.
   [[File:Mozillians_-_ldap_-_enter_2fa_code.png|250px]]
   [[File:Mozillians_-_ldap_-_enter_2fa_code.png|250px]]
Line 153: Line 195:
1.  Login to mozillians using your LDAP credentials. <br>
1.  Login to mozillians using your LDAP credentials. <br>
2.  Navigate to mozillians profile settings page. <br>
2.  Navigate to mozillians profile settings page. <br>
3.  In Profile Identities section, Contact Identities sub-section shows the identities associated with your profile.  
3.  In Profile Identities section, Contact Identities sub-section shows the identities associated with your profile.
In order to set a certain email to show on your mozillians profile, you need to click the "Show on Profile" button corresponding to that email.
In order to set a certain email to show on your mozillians profile, you need to click the "Show on Profile" button corresponding to that email.
   [[File:Mozillians_-_show_on_profile.png|400px]]
   [[File:Mozillians_-_show_on_profile.png|400px]]
4.  Success message should be displayed.
4.  Success message should be displayed.
   [[File:Mozillians_-_primary_contact_identity_message.png|200px]]
   [[File:Mozillians_-_primary_contact_identity_message.png|200px]]
5.  Now your primary email is displayed under the profile picture and your LDAP is shown in the "Alternate Contact Identities" section of your mozillians profile.  
5.  Now your primary email is displayed under the profile picture and your LDAP is shown in the "Alternate Contact Identities" section of your mozillians profile.
   [[File:Mozillians_-_user_profile_-_alternate_indentity.png|400px]]
   [[File:Mozillians_-_user_profile_-_alternate_indentity.png|400px]]
6.  If you want your LDAP to not be shown at all on your profile, you should set your LDAP identity as Private and click Update Identities button.  
6.  If you want your LDAP to not be shown at all on your profile, you should set your LDAP identity as Private and click Update Identities button.
   [[File:Mozillians_-_set_LDAP_identity_to_private.png|400px]]
   [[File:Mozillians_-_set_LDAP_identity_to_private.png|400px]]
7.  Now only your personal email is shown on your profile, under the profile picture.
7.  Now only your personal email is shown on your profile, under the profile picture.
Line 172: Line 214:
3.  Scroll down to “Profile Identities” section and click “Add Identity” button.
3.  Scroll down to “Profile Identities” section and click “Add Identity” button.
   [[File:Mozillians_-_profile_page.png|350px]]
   [[File:Mozillians_-_profile_page.png|350px]]
4.  Select "Log in with LDAP" in the next page.
4.  Enter your LDAP email in the "Log in with email" field and click "Enter" button.
   [[File:Mozillians_-_login_with_ldap.png|200px]]
   [[File:10_-_volunteer_LDAP.png|300px]]
5.  Enter your volunteer LDAP credentials and click "LOG IN" button.
5.  Enter your LDAP password and click "Enter" button.
   [[File:Mozillians_-_enter_ldap_credentials.png|200px]]
  [[File:5_-_add_ldap_password.png|300px]]
6.  Verify that success message is displayed, after adding the new LDAP identity.
6.  Enter 2fa code from your application and click "Log In" button.
   [[File:Mozillians_-_ldap_-_enter_2fa_code.png|250px]]
7.  Verify that success message is displayed, after adding the new LDAP identity.
   [[File:Mozillians_-_success_message.png|350px]]
   [[File:Mozillians_-_success_message.png|350px]]
7.  Scroll down to “Profile Identities” section and verify that your volunteer LDAP account is set as your login identity. That means this is the only account you can use from now on to login to mozillians.
8.  Scroll down to “Profile Identities” section and verify that your volunteer LDAP account is set as your login identity. That means this is the only account you can use from now on to login to mozillians.
   [[File:Mozillians_-_no_mfa_ldap_added_identity.png|350px]]
   [[File:Mozillians_-_no_mfa_ldap_added_identity.png|350px]]


Line 187: Line 231:
3.  Scroll down to “Profile Identities” section and click “Add Identity” button.
3.  Scroll down to “Profile Identities” section and click “Add Identity” button.
   [[File:Mozillians_-_add_identity_google.png|350px]]
   [[File:Mozillians_-_add_identity_google.png|350px]]
4.  If you logged in with github in mozillians, you will probably be asked to select the github login. As you want to verify your google account, you should click "Use a different account link" at this step.
  [[File:Mozillians_-_use_different_account.png|200px]]
5.  Select "Log in with Google" in the next page.
5.  Select "Log in with Google" in the next page.
   [[File:Mozillians_-_login_with_google.png|200px]]
   [[File:3_-_moz_login.png|200px]]
6.  Enter your google email, then click Next.
6.  Enter your google email, then click Next.
   [[File:Mozillians_-_enter_google_email.png|250px]]
   [[File:Mozillians_-_enter_google_email.png|250px]]
Line 197: Line 239:
8.  Verify that success message is displayed, after adding the new Google identity.
8.  Verify that success message is displayed, after adding the new Google identity.
   [[File:Mozillians_-_success_message.png|350px]]
   [[File:Mozillians_-_success_message.png|350px]]
9.  Scroll down to “Profile Identities” section and verify that your Google account is set as your login identity.
9.  Scroll down to “Profile Identities” section and verify that your Google account is in your Contact identities section.
   [[File:Mozillians_-_google_identity.png|350px]]
   [[File:Mozillians_-_google_identity.png|350px]]
==== '''Q''': ''What issues I might encounter by upgrading to Firefox Accounts?'' ====
There are some known issues with using Firefox Accounts in Mozilla IAM:
1.  Login with Firefox Accounts is unavailable from inside some Android applications, including IRCCloud and Slack. This is due to lack of localStorage support in some Android WebViews.
2.  Firefox Accounts can only be used in Mozilla IAM with 2FA enabled. Note that once you choose to use Firefox Accounts, it is required to set up 2FA, to avoid being locked out of your account.
==== '''Q''': ''Why do the email login links expire after 15 minutes?'' ====
When you login using an email link, that link is valid for 15 minutes from when you request it.
This expiration window of 15 minutes is driven both by security considerations and a desire for
a positive user experience. The link is short lived so that there is a limited window
of time during which a potential attacker could use the link if they were able to get access
to it. This is especially important due to the inherently insecure nature of email
transmission.
During the past 18+ months, experience shows that for a vast majority of users, this 15 minute expiration window has no effect on
them as they receive the email link in their inbox mere seconds after they click the
button requesting the link. Some users however do not receive the email login link
immediately.
Short delays in delivery are just part of how email delivery works.
Longer delays however can be caused by a feature called [https://en.wikipedia.org/wiki/Greylisting Greylisting]. Continue on to the question below for further information on Greylisting.
==== '''Q''': ''What is email Greylisting?'' ====
Some email providers institute Greylisting on all inbound email for their users
as a measure to reduce spam. Greylisting temporarily rejects email from mail servers
where the sender hasn't communicated with the recipient before or due to some other
signal indicating the email may be spam. A mail server that is Greylisting expects
that a valid sender and mail server will continue to retry sending the email over
time and the Greylisting mail server will eventually accept the mail. In the case
of a "transactional" email like the email login link,
[https://en.wikipedia.org/wiki/Greylisting#Delayed_delivery_issues Greylisting prevents users from being able to do a real-time login].
==== '''Q''': ''What can I do about my email provider's Greylisting?'' ====
Users who have email providers that use Greylisting will likely see this type of
severely delayed transactional emails from other senders as well, for example
when they sign up to a new web site and that web site sends them an email with a
link to confirm that the user controls the email address they signed up with.
Unfortunately, in order for users with email providers that utilize Greylisting
to work around this problem, they may need to contact their email provider or
look in their providers documentation to see if there are whitelisting options
available to them. There's nothing that Mozilla can do on the sending side to
force the user's Greylisting mail server to accept and deliver the email.
Users sometimes ask to just increase the expiration time, for example to 30 or 60
minutes. We deliberately have not made this change because doing so would decrease our systems' security while not addressing the root cause of this problem (Greylisting).
Instead, we ask that users either:
* contact their email provider to ask to have Greylisting disabled
* have Mozilla's domain, `sso.mozilla.com` whitelisted
* use an alternative login method to email links
* use an email address of a different email provider that doesn't employ Greylisting.


=== New Login Experience FAQ (Frequently Asked Questions) ===
=== New Login Experience FAQ (Frequently Asked Questions) ===
Line 213: Line 310:
==== '''Q''': ''Auto-fill does not work with my password manager.'' ====
==== '''Q''': ''Auto-fill does not work with my password manager.'' ====
We tested the most common password managers successfully. In this case please reach out to us via the [https://discourse.mozilla.org/c/iam IAM Discourse] category and let us know which password manager you use.
We tested the most common password managers successfully. In this case please reach out to us via the [https://discourse.mozilla.org/c/iam IAM Discourse] category and let us know which password manager you use.
==== '''Q''': ''I'm using the Slack app (or another app) and it only lets me login with a specific method (such as Firefox)'' ====
The Slack app does not let you use the back button when it tries to automatically login to SSO. If you had auto-login enabled, you also cannot force a logout as it's not within your web-browser.
This is a limitation of the app. In order to avoid this, you can make sure that you do not check automatic login. Otherwise, you can also delete the application's settings on your system and start the application again.
For Slack on macOS the settings are in <code>~/Library/Application Support/Slack</code> - deleting this directory and restarting the Slack app will let you login normally again.
Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1189246...1246591"