IAM/Frequently asked questions: Difference between revisions
Viorelaioia (talk | contribs) |
Viorelaioia (talk | contribs) |
||
| Line 83: | Line 83: | ||
==== '''Q''': ''How can I set up two-factor authentication (2FA) for my github account, without using an app on my phone?'' ==== | ==== '''Q''': ''How can I set up two-factor authentication (2FA) for my github account, without using an app on my phone?'' ==== | ||
If you would rather not install yet another app on your device, you can | |||
If you would rather not install yet another app on your device, you can run the Firekey app (which is a 2-factor auth (TOTP) token generator for the Web) by browsing https://firekey.org/. <br> | |||
1. In the upper-right corner of any github page, click your profile photo, then click Settings. | 1. In the upper-right corner of any github page, click your profile photo, then click Settings. | ||
[[File:Github-settings.png|450px]] | [[File:Github-settings.png|450px]] | ||
Revision as of 13:44, 27 December 2017
Mozilla IAM FAQ (Frequently Asked Questions)
Q: What is Mozilla IAM?
Mozilla IAM stands for Mozilla's Identity and Access Management. It's the system that Mozilla manages logins to various web properties and systems.
Usually, you'd use Mozilla IAM as Mozilla Staff, or as a contributor with access to the tools and resources Mozilla uses day to day. An example of that would be our Discourse instance: http://discourse.mozilla.org/
Mozilla IAM is not Firefox Accounts, Persona or part of any Mozilla Product.
Q: How do I login with Mozilla IAM?
Mozilla IAM supports various login methods, such as "LDAP" (Staff logins), GitHub social login, Google social login and email login (which we call "passwordless"). Certain methods support and enforce the use of two-factor authentication (2FA) and may grant access to more sensitive services.
Q: Why is my login failing with an error message telling me to use "GitHub/Google/LDAP/etc" instead?
If your login (your primary email address used by Mozilla IAM) matches an existing account which provides higher security, we require that you use the most secure method available to login.
Example: LDAP uses two-factor authentication to verify a user's identity and is safer than using email login ("passwordless").
Q: Why do you support email login ("passwordless") if it's less safe than other methods?
Sometimes all you want to do is post a comment on a public forum. For that, we often need to provide a valid identity, but we also want to make it as easy as possible for you to contribute. Email login ("passwordless") is our current solution for this use case. Some applications we provide may not provide this login method, for example when the application require more secure methods.
Q: I would like access to specific groups, such as the NDA group, but it requires me to use a different login method, why?
We only allow login, or authentication methods that can verifiably require two-factor authentication (2FA) in order to join any group that may grant you access to data that is not public, such as what we call STAFF CONFIDENTIAL data. At the time of writing, only LDAP, Google accounts that use our LDAP backend (i.e. not '@gmail.com' accounts) and GitHub account support this functionality.
Example: you could get a GitHub account with two-factor authentication enabled. Here's some documentation on how to do this: https://help.github.com/articles/about-two-factor-authentication/
If more authentication methods add support for this in the future and seem to be otherwise safe, we'll gladly allow them as well.
Q: I used to use email login ("passwordless") to access STAFF CONFIDENTIAL data with my NDA'd account, but I lost access
We no longer allow email logins to access non-PUBLIC data (see previous FAQ item as well). In order to regain access, please use a login method that supports two-factor authentication (2FA) such as GitHub. Here's some documentation on how to do this: https://help.github.com/articles/about-two-factor-authentication/
Q: Where is the source code, documentation, etc. for all Mozilla IAM Projects?
Glad you asked! it's all here: https://github.com/mozilla-iam/mozilla-iam/
Q: I found a bug, vulnerability, issue, etc. Where do I report it?
Please report all public bugs and issues here: https://github.com/mozilla-iam/mozilla-iam/issues For security vulnerabilities, please see https://www.mozilla.org/en-US/security/bug-bounty/web-eligible-sites/ or email us at security@mozilla.org Thanks for your help!
Q: My question is not listed here, where can I reach out?
You can find a link to our public discussion board here: https://github.com/mozilla-iam/mozilla-iam/#discussion
Q: How can I set up two-factor authentication (2FA) for my github account, using an app on my phone (Android/iOS/Blackberry)?
Two-factor authentication can be configured by using a Time-based One-Time Password (TOTP) application, which automatically generates an authentication code that changes after a certain period of time. See configuration steps below.
1. Download one of these apps:
- For Android, iOS, and Blackberry: Google Authenticator
- For Android and iOS: Duo Mobile
- For Windows Phone: Authenticator
2. In the upper-right corner of any github page, click your profile photo, then click Settings.
3. In the user settings sidebar, click Security.
4. Under Two-factor authentication, click Set up two-factor authentication.
5. On the Two-factor authentication page, click Set up using an app.
6. To enable two-factor authentication you must save your two-factor recovery codes in a safe place, such as a password manager, by clicking Download, Print, or Copy. Your recovery codes will help get you back into your account if you've lost access. After saving your codes, click Next.
7. Scan the QR code with your mobile device's app. After scanning, the app will display a six-digit code that you can enter on GitHub.
8. The TOTP mobile application will save your GitHub account and generate a new authentication code every few seconds. On GitHub, on the 2FA page, type the code and click Next.
9. Verify that a success message is shown
10. After 2FA has been enabled and you've saved your recovery codes, we recommend you sign out and back in to your account. In case of problems, such as a forgotten password or typo in your email address, you can use recovery codes to access your account and correct the problem.
Q: How can I set up two-factor authentication (2FA) for my github account, without using an app on my phone?
If you would rather not install yet another app on your device, you can run the Firekey app (which is a 2-factor auth (TOTP) token generator for the Web) by browsing https://firekey.org/.
1. In the upper-right corner of any github page, click your profile photo, then click Settings.
2. In the user settings sidebar, click Security.
3. Under Two-factor authentication, click Set up two-factor authentication.
4. On the Two-factor authentication page, click Set up using an app.
5. To enable two-factor authentication you must save your two-factor recovery codes in a safe place, such as a password manager, by clicking Download, Print, or Copy. Your recovery codes will help get you back into your account if you've lost access. After saving your codes, click Next.
6. Get the secret key for your duo setup by either scanning the barcode (the URI generated should have the "secret" parameter) or by clicking the "enter this text code" link. Also, save this secret in a file.
7. Copy the 2-factor secret.
8. Navigate to https://firekey.org/ and add a new account.
9. Enter a site name and paste the secret in "secret key" field, then click "Add".
10. Enter the provided number for the 2FA in github.
11. Verify that a success message is shown
12. After 2FA has been enabled and you've saved your recovery codes, we recommend you sign out and back in to your account. In case of problems, such as a forgotten password or typo in your email address, you can use recovery codes to access your account and correct the problem.
Q: I have an email address for my mozillians account different than the email I set as primary in my github account. How can I upgrade my mozillians account from passwordless to github?
1. In the following steps we assume you have 2FA set for your github account. If not, see the steps from here
2. Login to mozillians with your email.
3. Navigate to profile settings page.
4. Scroll down to “Profile Identities” section and click “Add Identity” button.
5. Select “Log in with Github” option in next page.
6. Click Authorize mozilla. If you’re logged in to github in the same browser, you can skip the next 2 steps.
7. Enter github credentials and click “Sign In” button.
8. Enter the two-factor authentication generated by the app or received on your phone via text message.
9. Verify that success message is displayed, after adding the new github identity.
10. Scroll down to “Profile Identities” section and verify that your github account is set as your login identity. That means this is the account you should use from now on to login to mozillians.
11. Trying to login with email to mozillians will return an error page, asking to login with github.
Q: The email address I use to login to my mozillians account matches the primary email of my github account. How can I upgrade my mozillians account from passwordless to github?
1. In the following steps we assume you have 2FA set for your github account. If not, see the steps from here.
2. Navigate to mozillians page and click Log In/Sign Up button.
3. Select “Log in with Github” method from mozillians login page.
4. Enter Github credentials.
5. Enter 2fa code from your application.
6. Navigate to Settings -> Profile Identities section, and verify that Github is set as your login identity. That means this is the only account you can use from now on to login to mozillians.
7. Trying to login with email to mozillians will return an error page, asking to login with github.
Q: How can I upgrade my mozillians account from passwordless to LDAP?
1. Login to mozillians with your email.
NOTE: If you are logged in to a Mozilla website or to gmail with your LDAP account in your browser, you will probably be prompted to directly login with LDAP, after clicking "Log In" button in mozillians. In that case, please follow the next 2 steps, in order to login with email. a. Click "Use a different account" link.b. Select "Login with email" option.
c. Enter your email address and click "Send Email" button. Next, you will receive an email with the login link to mozillians.
2. Navigate to profile settings page.
3. Scroll down to “Profile Identities” section and click “Add Identity” button.
4. Select "Log in with LDAP" in the next page.
5. Enter your LDAP credentials and click "LOG IN" button.
6. Enter 2fa code from your application and click "Log In" button.
7. Verify that success message is displayed, after adding the new LDAP identity.
8. Scroll down to “Profile Identities” section and verify that your LDAP account is set as your login identity. That means this is the only account you can use from now on to login to mozillians.
Q: What happens if I lose access to my LDAP (aka leave Mozilla) and I still need to be able to login as a community member?
When the LDAP account goes away, we will de-provision that identity from your Auth0 identity. This way you will be able to log in using other authentication providers (e.g. Github, Google or passwordless email). In order to do that you should add at least one such "secondary identity" to your profile while you are a staff member.
Q: I am a Mozilla staff member and I want to show my personal email address on my Mozillians profile. How do I do that?
1. Login to mozillians using your LDAP credentials.
2. Navigate to mozillians profile settings page.
3. In Profile Identities section, Contact Identities sub-section shows the identities associated with your profile.
In order to set a certain email to show on your mozillians profile, you need to click the "Show on Profile" button corresponding to that email.
4. Success message should be displayed.
5. Now your primary email is displayed under the profile picture and your LDAP is shown in the "Alternate Contact Identities" section of your mozillians profile.
6. If you want your LDAP to not be shown at all on your profile, you should set your LDAP identity as Private and click Update Identities button.
7. Now only your personal email is shown on your profile, under the profile picture.
Q: I am a volunteer and I own a volunteer LDAP account. How can I upgrade my mozillians account from email (passwordless) login?
If you own a volunteer LDAP account, then you can upgrade your mozillians profile to that LDAP account (instead of github with 2FA), by following the next steps:
1. Login with email to mozillians.
2. Navigate to mozillians profile settings page.
3. Scroll down to “Profile Identities” section and click “Add Identity” button.
4. Select "Log in with LDAP" in the next page.
5. Enter your volunteer LDAP credentials and click "LOG IN" button.
6. Verify that success message is displayed, after adding the new LDAP identity.
7. Scroll down to “Profile Identities” section and verify that your volunteer LDAP account is set as your login identity. That means this is the only account you can use from now on to login to mozillians.
Q: How can I verify a google account in mozillians?
1. Login to mozillians.
2. Navigate to mozillians profile settings page.
3. Scroll down to “Profile Identities” section and click “Add Identity” button.
4. If you logged in with github in mozillians, you will probably be asked to select the github login. As you want to verify your google account, you should click "Use a different account link" at this step.
5. Select "Log in with Google" in the next page.
6. Enter your google email, then click Next.
7. Enter your google password, then click Next.
8. Verify that success message is displayed, after adding the new Google identity.
9. Scroll down to “Profile Identities” section and verify that your Google account is set as your login identity.
