1
edit
IAM/Frequently asked questions: Difference between revisions
→Q: Why do you support email login ("passwordless") if it's less safe than other methods?: Conjugate properly a verb
(https://github.com/mozilla/wikimo_content/pull/129) |
(→Q: Why do you support email login ("passwordless") if it's less safe than other methods?: Conjugate properly a verb) |
||
| (5 intermediate revisions by 3 users not shown) | |||
| Line 27: | Line 27: | ||
Sometimes all you want to do is post a comment on a public forum. For that, we often need to provide a valid identity, but we also want to make it as easy as possible for you to contribute. | Sometimes all you want to do is post a comment on a public forum. For that, we often need to provide a valid identity, but we also want to make it as easy as possible for you to contribute. | ||
Email login ("passwordless") is our current solution for this use case. Some applications we provide may not provide this login method, for example when the application | Email login ("passwordless") is our current solution for this use case. Some applications we provide may not provide this login method, for example when the application requires more secure methods. | ||
==== '''Q''': ''I would like access to specific groups, such as the NDA group, but it requires me to use a different login method, why?'' ==== | ==== '''Q''': ''I would like access to specific groups, such as the NDA group, but it requires me to use a different login method, why?'' ==== | ||
| Line 57: | Line 57: | ||
You can find a link to our public discussion board here: https://github.com/mozilla-iam/mozilla-iam/#discussion | You can find a link to our public discussion board here: https://github.com/mozilla-iam/mozilla-iam/#discussion | ||
==== '''Q''': ''How do I create a Non-Staff Mozillians Account that will work for SSO ==== | |||
To be able to be added to access groups in Mozillians, your Mozillians account must be associated with a supported login identity. | |||
A Mozillians account must be associated with one of the following login identities with multi-factor authentication enabled to be added to access groups. | |||
Mozilla LDAP (required during set-up) | |||
* Firefox Accounts | |||
* GitHub | |||
* Google | |||
1. If you don't already have an account with a supported login identity, create one by following the instructions from the provider | |||
2. Enable 2FA/MFA authentication | |||
If you set up 2FA on GitHub then you '''must select GitHub''' when creating your Mozillians account. If you set up 2FA on you Firefox account then you must select Firefox when creating your Mozillians account. | |||
If your email account is provided by Google we recommend setting up 2FA in your Google account settings. If you don't want to set up 2FA on your Google account itself you can still use this address to create a GitHub or Firefox Account with 2FA enabled. | |||
==== Sign-up For Mozillians ==== | |||
To keep things simple, it is very important that when creating your Mozillians account you choose the login method that has 2FA/MFA associated with it. If you set up 2FA/MFA on GitHub or Firefox Accounts do not select Google when logging in. | |||
Go to mozillians.org | |||
Click on Log in / Sign up | |||
Select the identity type that has 2FA/MFA enabled. DO NOT type your email into the "Log In or Sign Up with email" box. | |||
Remember, if you set up 2FA on your GitHub account then you must select GitHub when creating your Mozillians account. | |||
Fill out the required fields and click the button to Complete Registration | |||
Note: content blockers, including Firefox's built in settings, may hide the captcha. Ensure all the required fields are visible to be able to complete registration. | |||
==== '''Q''': ''How can I set up two-factor authentication (2FA) for my github account, using an app on my phone (Android/iOS/Blackberry)?'' ==== | ==== '''Q''': ''How can I set up two-factor authentication (2FA) for my github account, using an app on my phone (Android/iOS/Blackberry)?'' ==== | ||
| Line 124: | Line 157: | ||
1. In the following steps we assume you have 2FA set for your Firefox Accounts account. If not, see the steps from [https://blog.mozilla.org/services/2018/05/22/two-step-authentication-in-firefox-accounts/ here]. | 1. In the following steps we assume you have 2FA set for your Firefox Accounts account. If not, see the steps from [https://blog.mozilla.org/services/2018/05/22/two-step-authentication-in-firefox-accounts/ here]. | ||
2. Navigate to mozillians page and click Log In/Sign Up button. | 2. Navigate to mozillians page and click Log In/Sign Up button. | ||
3. Select “Continue with Firefox” method from mozillians login page. | 3. Select “Continue with Firefox” method from mozillians login page. | ||
[[File:3_-_moz_login.png|350px]] | [[File:3_-_moz_login.png|350px]] | ||
| Line 146: | Line 179: | ||
[[File:4_-_add_Ldap_identity.png|300px]] | [[File:4_-_add_Ldap_identity.png|300px]] | ||
5. Enter your LDAP password and click "Enter" button. | 5. Enter your LDAP password and click "Enter" button. | ||
[[File:5_-_add_ldap_password.png|300px]] | [[File:5_-_add_ldap_password.png|300px]] | ||
6. Enter 2fa code from your application and click "Log In" button. | 6. Enter 2fa code from your application and click "Log In" button. | ||
[[File:Mozillians_-_ldap_-_enter_2fa_code.png|250px]] | [[File:Mozillians_-_ldap_-_enter_2fa_code.png|250px]] | ||
| Line 162: | Line 195: | ||
1. Login to mozillians using your LDAP credentials. <br> | 1. Login to mozillians using your LDAP credentials. <br> | ||
2. Navigate to mozillians profile settings page. <br> | 2. Navigate to mozillians profile settings page. <br> | ||
3. In Profile Identities section, Contact Identities sub-section shows the identities associated with your profile. | 3. In Profile Identities section, Contact Identities sub-section shows the identities associated with your profile. | ||
In order to set a certain email to show on your mozillians profile, you need to click the "Show on Profile" button corresponding to that email. | In order to set a certain email to show on your mozillians profile, you need to click the "Show on Profile" button corresponding to that email. | ||
[[File:Mozillians_-_show_on_profile.png|400px]] | [[File:Mozillians_-_show_on_profile.png|400px]] | ||
4. Success message should be displayed. | 4. Success message should be displayed. | ||
[[File:Mozillians_-_primary_contact_identity_message.png|200px]] | [[File:Mozillians_-_primary_contact_identity_message.png|200px]] | ||
5. Now your primary email is displayed under the profile picture and your LDAP is shown in the "Alternate Contact Identities" section of your mozillians profile. | 5. Now your primary email is displayed under the profile picture and your LDAP is shown in the "Alternate Contact Identities" section of your mozillians profile. | ||
[[File:Mozillians_-_user_profile_-_alternate_indentity.png|400px]] | [[File:Mozillians_-_user_profile_-_alternate_indentity.png|400px]] | ||
6. If you want your LDAP to not be shown at all on your profile, you should set your LDAP identity as Private and click Update Identities button. | 6. If you want your LDAP to not be shown at all on your profile, you should set your LDAP identity as Private and click Update Identities button. | ||
[[File:Mozillians_-_set_LDAP_identity_to_private.png|400px]] | [[File:Mozillians_-_set_LDAP_identity_to_private.png|400px]] | ||
7. Now only your personal email is shown on your profile, under the profile picture. | 7. Now only your personal email is shown on your profile, under the profile picture. | ||
| Line 184: | Line 217: | ||
[[File:10_-_volunteer_LDAP.png|300px]] | [[File:10_-_volunteer_LDAP.png|300px]] | ||
5. Enter your LDAP password and click "Enter" button. | 5. Enter your LDAP password and click "Enter" button. | ||
[[File:5_-_add_ldap_password.png|300px]] | [[File:5_-_add_ldap_password.png|300px]] | ||
6. Enter 2fa code from your application and click "Log In" button. | 6. Enter 2fa code from your application and click "Log In" button. | ||
[[File:Mozillians_-_ldap_-_enter_2fa_code.png|250px]] | [[File:Mozillians_-_ldap_-_enter_2fa_code.png|250px]] | ||
| Line 212: | Line 245: | ||
==== '''Q''': ''What issues I might encounter by upgrading to Firefox Accounts?'' ==== | ==== '''Q''': ''What issues I might encounter by upgrading to Firefox Accounts?'' ==== | ||
There are some known issues with using Firefox Accounts in Mozilla IAM: | There are some known issues with using Firefox Accounts in Mozilla IAM: | ||
1. Login with Firefox Accounts is unavailable from inside some Android applications, including IRCCloud and Slack. This is due to lack of localStorage support in some Android WebViews. | 1. Login with Firefox Accounts is unavailable from inside some Android applications, including IRCCloud and Slack. This is due to lack of localStorage support in some Android WebViews. | ||
2. Firefox Accounts can only be used in Mozilla IAM with 2FA enabled. Note that once you choose to use Firefox Accounts, it is required to set up 2FA, to avoid being locked out of your account. | 2. Firefox Accounts can only be used in Mozilla IAM with 2FA enabled. Note that once you choose to use Firefox Accounts, it is required to set up 2FA, to avoid being locked out of your account. | ||
==== '''Q''': ''Why do the email login links expire after 15 minutes?'' ==== | |||
When you login using an email link, that link is valid for 15 minutes from when you request it. | |||
This expiration window of 15 minutes is driven both by security considerations and a desire for | |||
a positive user experience. The link is short lived so that there is a limited window | |||
of time during which a potential attacker could use the link if they were able to get access | |||
to it. This is especially important due to the inherently insecure nature of email | |||
transmission. | |||
During the past 18+ months, experience shows that for a vast majority of users, this 15 minute expiration window has no effect on | |||
them as they receive the email link in their inbox mere seconds after they click the | |||
button requesting the link. Some users however do not receive the email login link | |||
immediately. | |||
Short delays in delivery are just part of how email delivery works. | |||
Longer delays however can be caused by a feature called [https://en.wikipedia.org/wiki/Greylisting Greylisting]. Continue on to the question below for further information on Greylisting. | |||
==== '''Q''': ''What is email Greylisting?'' ==== | |||
Some email providers institute Greylisting on all inbound email for their users | |||
as a measure to reduce spam. Greylisting temporarily rejects email from mail servers | |||
where the sender hasn't communicated with the recipient before or due to some other | |||
signal indicating the email may be spam. A mail server that is Greylisting expects | |||
that a valid sender and mail server will continue to retry sending the email over | |||
time and the Greylisting mail server will eventually accept the mail. In the case | |||
of a "transactional" email like the email login link, | |||
[https://en.wikipedia.org/wiki/Greylisting#Delayed_delivery_issues Greylisting prevents users from being able to do a real-time login]. | |||
==== '''Q''': ''What can I do about my email provider's Greylisting?'' ==== | |||
Users who have email providers that use Greylisting will likely see this type of | |||
severely delayed transactional emails from other senders as well, for example | |||
when they sign up to a new web site and that web site sends them an email with a | |||
link to confirm that the user controls the email address they signed up with. | |||
Unfortunately, in order for users with email providers that utilize Greylisting | |||
to work around this problem, they may need to contact their email provider or | |||
look in their providers documentation to see if there are whitelisting options | |||
available to them. There's nothing that Mozilla can do on the sending side to | |||
force the user's Greylisting mail server to accept and deliver the email. | |||
Users sometimes ask to just increase the expiration time, for example to 30 or 60 | |||
minutes. We deliberately have not made this change because doing so would decrease our systems' security while not addressing the root cause of this problem (Greylisting). | |||
Instead, we ask that users either: | |||
* contact their email provider to ask to have Greylisting disabled | |||
* have Mozilla's domain, `sso.mozilla.com` whitelisted | |||
* use an alternative login method to email links | |||
* use an email address of a different email provider that doesn't employ Greylisting. | |||
=== New Login Experience FAQ (Frequently Asked Questions) === | === New Login Experience FAQ (Frequently Asked Questions) === | ||
| Line 230: | Line 310: | ||
==== '''Q''': ''Auto-fill does not work with my password manager.'' ==== | ==== '''Q''': ''Auto-fill does not work with my password manager.'' ==== | ||
We tested the most common password managers successfully. In this case please reach out to us via the [https://discourse.mozilla.org/c/iam IAM Discourse] category and let us know which password manager you use. | We tested the most common password managers successfully. In this case please reach out to us via the [https://discourse.mozilla.org/c/iam IAM Discourse] category and let us know which password manager you use. | ||
==== '''Q''': ''I'm using the Slack app (or another app) and it only lets me login with a specific method (such as Firefox)'' ==== | |||
The Slack app does not let you use the back button when it tries to automatically login to SSO. If you had auto-login enabled, you also cannot force a logout as it's not within your web-browser. | |||
This is a limitation of the app. In order to avoid this, you can make sure that you do not check automatic login. Otherwise, you can also delete the application's settings on your system and start the application again. | |||
For Slack on macOS the settings are in <code>~/Library/Application Support/Slack</code> - deleting this directory and restarting the Slack app will let you login normally again. | |||