Using OS authentication (e.g., TouchID) for Credit Cards and Logins
Apologies for re-posting, I asked about this issue before https://support.mozilla.org/en-US/questions/1323826, but it was archived without any response :(
In an answer to this question: https://support.mozilla.org/en-US/questions/1318109#answer-1376159 cor-el warned that using OS authentication (for example, TouchID on a Mac) for passwords instead of a Primary Password is actually not really safe because it doesn't encrypt logins in logins.json and it would be possible to extract them by running: prompt("Logins",JSON.stringify(Services.logins.getAllLogins())); Now I am a bit confused because for storing Credit Cards the default is, of course, using OS authentication (I don't think there's an option to set a password instead). So I am wondering, is that safe, i.e., is the credit card information encrypted that I can retrieve with my TouchID (even without a Primary Password)?
And if so, would anybody be able to explain the differences between these two approaches and why the Firefox developers chose one for Logins/Passwords but the other for Credit Cards.
All Replies (6)
OS authentication uses an encryption key stored securely by the operating system to encrypt your credit card information. The "primary password' mechanism uses an older, different implementation to encrypt your passwords. OS authentication isn't used to encrypt passwords yet due to user experience issues that have not been fully worked out.
dkeeler said
OS authentication isn't used to encrypt passwords yet ...
Do I interpret this correctly that using OS authentication to encrypt passwords is planned for some future update?
@DKeeler: OS authentication uses an encryption key stored securely by the operating system to encrypt your credit card information.
Wouldn't that cause issues if you backup files and restore them in another Windows account (i.e can you backup the encryption key and possibly restore it) ? Is this data still stored in the profile folder (indexedDB storage or otherwise) ?
Jan said
Do I interpret this correctly that using OS authentication to encrypt passwords is planned for some future update?
It is not planned for a specific future update, although it may eventually happen.
cor-el said
Wouldn't that cause issues if you backup files and restore them in another Windows account (i.e can you backup the encryption key and possibly restore it) ?
Yes. These are among the user experience issues that I mentioned.
Is this data still stored in the profile folder (indexedDB storage or otherwise) ?
I'm not aware of the encryption key being stored anywhere other than OS managed storage.
Are you able to explain then why Firefox chooses one approach for Credit Cards and another approach for Logins?
... and whether it would be feasible to have both approaches for both, so that users might be able to choose whether they want to use a separate primary password or OS authentication (whether with the OS password or with TouchID or whatever)?
Jan said
Are you able to explain then why Firefox chooses one approach for Credit Cards and another approach for Logins?
99% or so of Firefox users don't set a primary password, meaning data encrypted with that mechanism isn't meaningfully protected if a user's profile gets leaked. There was concern that it would not be appropriate to store credit card information this way, so the new OS-backed implementations were written. The UX challenge of what to do if a profile gets migrated to another computer is less relevant since credit card numbers can always be re-entered using the physical card (unlike with passwords).
... and whether it would be feasible to have both approaches for both, so that users might be able to choose whether they want to use a separate primary password or OS authentication (whether with the OS password or with TouchID or whatever)?
I don't see this as worth the engineering effort. Any future work should be directed towards solving the UX challenges of the OS-backed implementations and migrating away from the primary password system.