This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Using OS authentication (e.g., TouchID) for Credit Cards and Logins

  • 6 replies
  • 2 have this problem
  • 6 views
  • Last reply by dkeeler

more options

Apologies for re-posting, I asked about this issue before https://support.mozilla.org/en-US/questions/1323826, but it was archived without any response :(

In an answer to this question: https://support.mozilla.org/en-US/questions/1318109#answer-1376159 cor-el warned that using OS authentication (for example, TouchID on a Mac) for passwords instead of a Primary Password is actually not really safe because it doesn't encrypt logins in logins.json and it would be possible to extract them by running: prompt("Logins",JSON.stringify(Services.logins.getAllLogins())); Now I am a bit confused because for storing Credit Cards the default is, of course, using OS authentication (I don't think there's an option to set a password instead). So I am wondering, is that safe, i.e., is the credit card information encrypted that I can retrieve with my TouchID (even without a Primary Password)?

And if so, would anybody be able to explain the differences between these two approaches and why the Firefox developers chose one for Logins/Passwords but the other for Credit Cards.

Apologies for re-posting, I asked about this issue before https://support.mozilla.org/en-US/questions/1323826, but it was archived without any response :( In an answer to this question: https://support.mozilla.org/en-US/questions/1318109#answer-1376159 cor-el warned that using OS authentication (for example, TouchID on a Mac) for passwords instead of a Primary Password is actually not really safe because it doesn't encrypt logins in logins.json and it would be possible to extract them by running: prompt("Logins",JSON.stringify(Services.logins.getAllLogins())); Now I am a bit confused because for storing Credit Cards the default is, of course, using OS authentication (I don't think there's an option to set a password instead). So I am wondering, is that safe, i.e., is the credit card information encrypted that I can retrieve with my TouchID (even without a Primary Password)? And if so, would anybody be able to explain the differences between these two approaches and why the Firefox developers chose one for Logins/Passwords but the other for Credit Cards.

All Replies (6)

more options

OS authentication uses an encryption key stored securely by the operating system to encrypt your credit card information. The "primary password' mechanism uses an older, different implementation to encrypt your passwords. OS authentication isn't used to encrypt passwords yet due to user experience issues that have not been fully worked out.

more options

dkeeler said

OS authentication isn't used to encrypt passwords yet ...

Do I interpret this correctly that using OS authentication to encrypt passwords is planned for some future update?

more options

@DKeeler: OS authentication uses an encryption key stored securely by the operating system to encrypt your credit card information.

Wouldn't that cause issues if you backup files and restore them in another Windows account (i.e can you backup the encryption key and possibly restore it) ? Is this data still stored in the profile folder (indexedDB storage or otherwise) ?

more options

Jan said

Do I interpret this correctly that using OS authentication to encrypt passwords is planned for some future update?

It is not planned for a specific future update, although it may eventually happen.

cor-el said

Wouldn't that cause issues if you backup files and restore them in another Windows account (i.e can you backup the encryption key and possibly restore it) ?

Yes. These are among the user experience issues that I mentioned.

Is this data still stored in the profile folder (indexedDB storage or otherwise) ?

I'm not aware of the encryption key being stored anywhere other than OS managed storage.

more options

Are you able to explain then why Firefox chooses one approach for Credit Cards and another approach for Logins?

... and whether it would be feasible to have both approaches for both, so that users might be able to choose whether they want to use a separate primary password or OS authentication (whether with the OS password or with TouchID or whatever)?

more options

Jan said

Are you able to explain then why Firefox chooses one approach for Credit Cards and another approach for Logins?

99% or so of Firefox users don't set a primary password, meaning data encrypted with that mechanism isn't meaningfully protected if a user's profile gets leaked. There was concern that it would not be appropriate to store credit card information this way, so the new OS-backed implementations were written. The UX challenge of what to do if a profile gets migrated to another computer is less relevant since credit card numbers can always be re-entered using the physical card (unlike with passwords).

... and whether it would be feasible to have both approaches for both, so that users might be able to choose whether they want to use a separate primary password or OS authentication (whether with the OS password or with TouchID or whatever)?

I don't see this as worth the engineering effort. Any future work should be directed towards solving the UX challenges of the OS-backed implementations and migrating away from the primary password system.