No authentication required to be able to view Firefox passwords
Why is it that I can open settings > privacy > manage logins
And be able to access all of my login data without any authentication? There's no need to type the master password and there's also no device authentication, such as typing my pin or confirming with my fingerprint.
Επιλεγμένη λύση
You'd have to enter your master password before you can access any stored passwords. That's the whole point of setting a master password. https://support.mozilla.org/en-US/kb/using-master-password-firefox-android
Ανάγνωση απάντησης σε πλαίσιο 👍 0Όλες οι απαντήσεις (6)
Then why don't you set a master password?
Setting a master password does not prevent me from seeing my passwords without additional confirmation. I've tested it by killing the app before checking my logins.
Επιλεγμένη λύση
You'd have to enter your master password before you can access any stored passwords. That's the whole point of setting a master password. https://support.mozilla.org/en-US/kb/using-master-password-firefox-android
Have you tried it? I certainly expect to require authentication before showing a password, but it simply isn't the case for me. The explanation there is when using it to log in sites, not when viewing the passwords in your settings, so I'm not sure if that was considered.
The only issue I can think of is that I didn't have master passwords when I saved them. I added one recently after getting the Android app to see if I would require a prompt before viewing them and it hasn't worked.
I haven't tried a master password on Firefox for Android. And I don't store passwords in desktop Firefox either.
However, I know it works in Thunderbird (which I believe shares the code with Firefox). In order to be able to see the account passwords, one has to provide the master password before.
You may want to raise a bug in Bugzilla for FF for Android. https://bugzilla.mozilla.org/
Upon testing this again before posting a report, adding a master password and restarting seems to be working.
It seems like they have a very lenient way of verifying, as closing the app without killing it and turning the screen off will not require the prompt to view logins.
Either way, my entire point was to not view login on mobile anyways, so it is fine.
Thank you for your responses.