IAM/Frequently asked questions: Difference between revisions
Gdestuynder (talk | contribs) (Automated sync from https://github.com/mozilla/wikimo_content) |
Gdestuynder (talk | contribs) (Automated sync from https://github.com/mozilla/wikimo_content) |
||
| Line 7: | Line 7: | ||
Usually, you'd use Mozilla IAM as Mozilla Staff, or as a contributor with access to the tools and resources Mozilla uses day to day. | Usually, you'd use Mozilla IAM as Mozilla Staff, or as a contributor with access to the tools and resources Mozilla uses day to day. | ||
An example of that would be our Discourse instance: http://discourse.mozilla | An example of that would be our Discourse instance: http://discourse.mozilla.org/ | ||
Mozilla IAM is '''not''' Firefox Accounts, Persona or part of any Mozilla Product. | Mozilla IAM is '''not''' Firefox Accounts, Persona or part of any Mozilla Product. | ||
| Line 14: | Line 14: | ||
Mozilla IAM supports various login methods, such as "LDAP" (Staff logins), GitHub social login, Google social login and email login (which we call "passwordless"). | Mozilla IAM supports various login methods, such as "LDAP" (Staff logins), GitHub social login, Google social login and email login (which we call "passwordless"). | ||
Certain methods support and enforce the use of | Certain methods support and enforce the use of two-factor authentication (2FA) and may grant access to more sensitive services. | ||
==== '''Q''': ''Why is my login failing with an error message telling me to use "GitHub/Google/LDAP/etc" instead?'' ==== | ==== '''Q''': ''Why is my login failing with an error message telling me to use "GitHub/Google/LDAP/etc" instead?'' ==== | ||
| Line 21: | Line 21: | ||
security, we require that you use the most secure method available to login. | security, we require that you use the most secure method available to login. | ||
Example: LDAP uses | Example: LDAP uses two-factor authentication to verify a user's identity and is safer than using email login | ||
("passwordless"). | ("passwordless"). | ||
| Line 31: | Line 31: | ||
==== '''Q''': ''I would like access to specific groups, such as the NDA group, but it requires me to use a different login method, why?'' ==== | ==== '''Q''': ''I would like access to specific groups, such as the NDA group, but it requires me to use a different login method, why?'' ==== | ||
We only allow login, or authentication methods that can verifiably require | We only allow login, or authentication methods that can verifiably require two-factor authentication (2FA) in order to join any group that may grant you access to data that is not public, such as what we call [https://wiki.mozilla.org/Security/Data_Classification STAFF CONFIDENTIAL data]. | ||
At the time of writing, only LDAP, Google accounts that use our LDAP backend (i.e. '''not''' '@gmail.com' accounts) and GitHub account support this functionality. | At the time of writing, only LDAP, Google accounts that use our LDAP backend (i.e. '''not''' '@gmail.com' accounts) and GitHub account support this functionality. | ||
Example: you could get a GitHub account with | Example: you could get a GitHub account with two-factor authentication enabled. Here's some documentation on how to do this: https://help.github.com/articles/about-two-factor-authentication/ | ||
If more authentication methods add support for this in the future and seem to be otherwise safe, we'll gladly allow them as well. | If more authentication methods add support for this in the future and seem to be otherwise safe, we'll gladly allow them as well. | ||
| Line 41: | Line 41: | ||
We no longer allow email logins to access non-PUBLIC data (see previous FAQ item as well). | We no longer allow email logins to access non-PUBLIC data (see previous FAQ item as well). | ||
In order to regain access, please use a login method that supports | In order to regain access, please use a login method that supports two-factor authentication (2FA) such as GitHub. Here's some documentation on how to do this: https://help.github.com/articles/about-two-factor-authentication/ | ||
==== '''Q''': ''Where is the source code, documentation, etc. for all Mozilla IAM Projects?'' ==== | ==== '''Q''': ''Where is the source code, documentation, etc. for all Mozilla IAM Projects?'' ==== | ||
Revision as of 22:10, 30 October 2017
Mozilla IAM FAQ (Frequently Asked Questions)
Q: What is Mozilla IAM?
Mozilla IAM stands for Mozilla's Identity and Access Management. It's the system that Mozilla manage logins to various web properties and systems.
Usually, you'd use Mozilla IAM as Mozilla Staff, or as a contributor with access to the tools and resources Mozilla uses day to day. An example of that would be our Discourse instance: http://discourse.mozilla.org/
Mozilla IAM is not Firefox Accounts, Persona or part of any Mozilla Product.
Q: How do I login with Mozilla IAM?
Mozilla IAM supports various login methods, such as "LDAP" (Staff logins), GitHub social login, Google social login and email login (which we call "passwordless"). Certain methods support and enforce the use of two-factor authentication (2FA) and may grant access to more sensitive services.
Q: Why is my login failing with an error message telling me to use "GitHub/Google/LDAP/etc" instead?
If your login (your primary email address used by Mozilla IAM) matches an existing account which provides higher security, we require that you use the most secure method available to login.
Example: LDAP uses two-factor authentication to verify a user's identity and is safer than using email login ("passwordless").
Q: Why do you support email login ("passwordless") if it's less safe than other methods?
Sometimes all you want to do is post a comment on a public forum. For that, we often need to provide a valid identity, but we also want to make it as easy as possible for you to contribute. Email login ("passwordless") is our current solution for this use case. Some applications we provide may not provide this login method, for example when the application always require more secure methods.
Q: I would like access to specific groups, such as the NDA group, but it requires me to use a different login method, why?
We only allow login, or authentication methods that can verifiably require two-factor authentication (2FA) in order to join any group that may grant you access to data that is not public, such as what we call STAFF CONFIDENTIAL data. At the time of writing, only LDAP, Google accounts that use our LDAP backend (i.e. not '@gmail.com' accounts) and GitHub account support this functionality.
Example: you could get a GitHub account with two-factor authentication enabled. Here's some documentation on how to do this: https://help.github.com/articles/about-two-factor-authentication/
If more authentication methods add support for this in the future and seem to be otherwise safe, we'll gladly allow them as well.
Q: I used to use email login ("passwordless") to access STAFF CONFIDENTIAL data with my NDA'd account, but I lost access
We no longer allow email logins to access non-PUBLIC data (see previous FAQ item as well). In order to regain access, please use a login method that supports two-factor authentication (2FA) such as GitHub. Here's some documentation on how to do this: https://help.github.com/articles/about-two-factor-authentication/
Q: Where is the source code, documentation, etc. for all Mozilla IAM Projects?
Glad you asked! it's all here: https://github.com/mozilla-iam/mozilla-iam/
Q: I found a bug, vulnerability, issue, etc. Where do I report it?
Please report all public bugs and issues here: https://github.com/mozilla-iam/mozilla-iam/issues For security vulnerabilities, please see https://www.mozilla.org/en-US/security/bug-bounty/web-eligible-sites/ or email us at security@mozilla.org Thanks for your help!
Q: My question is not listed here, where can I reach out?
You can find a link to our public discussion board here: https://github.com/mozilla-iam/mozilla-iam/#discussion