Require device sign in to fill and manage passwords BUT with GPO?
I am working on deploying Firefox with a GPO and I noticed that a saved password can be easily viewed just by going into the password manager. I found a way to disable the password manager all together, but then you can't save passwords. I am look for a way just to Require device sign in to fill and manage passwords as it says so its not just clicking the eyeball to see the password. I saw this article ( https://support.mozilla.org/en-US/kb/firefox-password-authentification-prompt ) which is how I got the description for this and that seems to be exactly what I want, But I cannot find this setting anywhere in the GPO. Anyone know where it is OR perhaps maybe you could add it?
All Replies (2)
awebber1, sorry, can't help with GPO.
Speaking as a user, I am not sure how secure Device sign-in authentication actually is? It might prevent a casual user from seeing passwords inside Firefox itself, but several sites have reported that it won't stop information-stealing malware, as it does not add any encryption to the files that store the passwords on the hard drive? ie, anyone who can access the hard drive can ultimately retrieve the logins independently of the user's Firefox settings?
Someone can correct me if I am wrong, but perhaps a more secure route is to add a primary password, as this adds a second layer of encryption to the hard drive files. And so even if someone did obtain the files they would still need to know this primary password (or brute force it) in order to decrypt the stored logins.
Just something to possibly consider, and I believe that there are GPO options related to primary passwords?
https://support.mozilla.org/en-US/kb/use-primary-password-protect-stored-logins
Modified
I think that Firefox should automatically switch to OS authentication if you aren't using the Primary Password.
You can set this pref via GPO to ensure this. Signon prefs can be set via the Preferences policy.
- signon.management.page.os-auth.enabled => true
See also the PrimaryPassword policy.
- https://support.mozilla.org/en-US/kb/customizing-firefox-using-group-policy
- https://mozilla.github.io/policy-templates/
Note that using Biometrics like Windows Hello/PIN instead of the Primary Password to protect the logins is less secure as it doesn't encrypt the logins stored in logins.json like the Primary Password does and having access to logins.json and key4.db and place them in a Firefox profile is sufficient to inspect the logins. Using Biometrics merely makes it harder to access/view passwords in the Password Manager, but Firefox will still be able to fill a login on a webpage without asking. This is also the case if you unlock the passwords via the Primary Password during a session.
Firefox does support OS Authentication feature, but it hasn't been enabled.