
Introducing Mozilla Firefox Accounts - ibsathish
https://blog.mozilla.org/blog/2014/02/07/introducing-mozilla-firefox-accounts/
======
mcpherrinm
I'm really disappointed this doesn't authenticate against Persona. Supporting
Persona in Firefox seems to be pretty slow coming, and this seems like a big
blow against having that smoothly integrating it.

~~~
callahad
Persona is an awesome way to verify email address ownership, but that's only
part of what Sync and the Firefox Marketplace need. For instance, Sync needs a
user-memorable password for client-side encryption, and Marketplace needs the
ability to force users to re-authenticate before a purchase, which is only
feasible in a centralized system. Then there are COPPA concerns: We don't want
to build an age gate into Persona, but we need one on Sync and Marketplace.
Firefox Accounts lets us do that once, up front, and be on our merry way.

Nevertheless, I'm hopeful that we'll integrate Persona into the Firefox
Accounts workflow, but that's still only part of the problem that Firefox
Accounts is trying to solve. :)

(Why wasn't it there at first? We were still working out protocol / data
format details, and sticking with a known username/password system reduced the
number of variables while reinventing Sync.)

~~~
pekk
You do understand how it seems that this is just cannibalizing Persona and
Persona will end up with none of the browser support it needs to fulfill its
vision?

~~~
Fasebook
Sure, but isn't that the point? I mean, did that stop any of the other
gatekeeper models?

------
redditivist
That was a lot of text to say:

"Today, we’re introducing Firefox Accounts as a safe and easy way for you to
create an account. With Firefox Account can integrate services, like Firefox
Sync.

Firefox Sync enables syncing of passwords, bookmarks, history, and open tabs
across devices, now even easier to setup the service and add multiple devices"

------
xiaq
> Last year, we created a new team at Mozilla to explore one specific area of
> the Web that’s grown with the explosion of mobile devices — the cloud
> (sometimes called Internet servers).

Hey Mozilla, you are too honest about the cloud thing. :)

~~~
nathancahill
Truth.

~~~
xiaq
Yeah, after reading this I can imagine myself translating "we have a cloud" to
"WE GOT SERVERS LOL" and the like...

------
chippy
I wouldn't mind the server side component to this. I'd like to run my own
server so that my devices can use. You'd imagine it would be available with it
being Mozilla, right?

Edits: YES! [https://github.com/mozilla/fxa-auth-
server](https://github.com/mozilla/fxa-auth-server)

~~~
holygoat
Both the auth server and the Sync server are available.

------
yeukhon
I have to dig this up (sorry Brian, your talk was awesome and visually easy to
get involved; kudos to identity team)

[http://people.mozilla.org/~bwarner/warner-
rwc2014/#/](http://people.mozilla.org/~bwarner/warner-rwc2014/#/)

~~~
lotharrr
Thanks! Glad you liked it! I plan to do a proper brown-bag Air-Mozilla
presentation of it soon, so we'll have a video recording available online (and
not just the slides).

FYI, I showed three different designs in that presentation, to
compare/contrast 1: original J-PAKE, 2: intermediate not-used SRP thing, 3:
final non-SRP "onepw" design. More than one audience member was left confused
about which one we're using for Sync. Tell your friends: we're deploying the
last one, nicknamed "onepw", from page 20 of that slide deck:

[http://people.mozilla.org/~bwarner/warner-
rwc2014/#/20](http://people.mozilla.org/~bwarner/warner-rwc2014/#/20)

cheers, -Brian (member of Mozilla FxA/Sync team)

------
jeena
Will it still work with the self hosted sync server? Or will there be a self
hosted one for Firefox Accounts?

And I hope they will implement it on Firefox OS very soon, otherwise the whole
syncing is not really that interesting.

~~~
mziulu
I expect those of us that host their own Sync server will have to deploy
this[0] one instead. This is the general idea I got reading [1].

[0]: [https://github.com/mozilla/fxa-auth-
server](https://github.com/mozilla/fxa-auth-server)

[1]: [https://blog.mozilla.org/services/2014/02/07/a-better-
firefo...](https://blog.mozilla.org/services/2014/02/07/a-better-firefox-
sync/)

~~~
darklajid
That.. looks quite a convoluted setup for 'simple' private hosting. Plus, the
instructions seem quite sparse.

Is that something Mozilla is officially endorsing or something that might
perhaps work, good luck with that?

~~~
kbrosnan
New Sync has been development for about a quarter. Right now all effort on the
Sync project is to get the basic workflows finished and testing the various
Sync clients (Fx Desktop/Fx Android).

The team is looking to have a more understandable self deployment strategy by
the time this ships in Firefox release ~12 weeks. This is not a promise
though. Engineering work is tricky to estimate.

------
RexRollman
I have no problem with Mozilla doing this so long as its not pushed down my
throat. I have no desire to use a cloud service.

~~~
Pacabel
While they can, of course, do whatever they want, I am disappointed by the
development of unnecessary peripheral functionality such as this.

I think that the resources put toward this endeavor could have been better
spent on improving the performance of Firefox, or perhaps reducing its memory
usage, or even fixing the numerous bugs that affect it. Firefox isn't as bad
as it once was with respect to those things, but there's still much room for
improvement.

Functionality that's useful to a comparatively small number of users should be
prioritized well behind core functionality that affects basically all Firefox
users.

~~~
potch
Engineers aren't just resources to be allocated. Quality isn't a zero-sum
game. If a manager said "all of you should only be working on performance", it
would be a waste of a lot of people's time who aren't performance engineers.

------
insertnickname
>the cloud (sometimes called Internet servers)

------
jemeshsu
I hope Firefox will implement multiple accounts within the browser, similar to
Chrome multiple accounts. If it is backed by Persona, then I will be able to
have web sessions based on email accounts from different providers.

------
PeterWhittaker
_Mozilla is a trusted organization_

Trust is such a poor and overloaded word. What is Mozilla "trusted" to do?
That's a very difficult question to answer.

Perhaps thinking in terms of expectations would be better: My expectation is
that Mozilla will produce a decent browser, with occasional bumps and steps
backwards in response to some _flavour du jour_ , most notably in the area of
_wouldn 't it be cools_ that break usability. Not to mention the mobile
browser considering my tablet and phone to be the "same type of device", when
my tablet is much closer to my computer - and it's the computer's UX I want
everywhere, not the phone's.

My expectation is that Mozilla will produce a half-decent email client that I
have no real reason to use.

My expectation is that in doing these things Mozilla software will mostly stay
out of my way, mostly work as I expect (sync the function works pretty much as
expected, sync the UX is awful - I still need all manner of extension and app
to get the "move easily from one device to another" experience I really want).

My expectation is that Mozilla will occasionally cook up something new, e.g.,
Persona, that I really don't see a need for, and that Mozilla will be unable
to articulate why that new thing is needed, cool, or anything else.

If Mozilla disappeared tomorrow, I would be quite upset, because FF sucks far
less than every other browser - maybe that's because I am so used to it, that
I've made it work for me, but moving to anything else would be painful. My
expectation is that they will continue to deliver excellent B+ software that
is adequate to my needs and wants.

But why on earth would I expect that I could trust Mozilla with anything more
than my sync information?

I trust Mozilla about as much as I trust my bank, as much as I trust Google,
and, to be fair, more than I trust facebook. But again, trust is the wrong
word: I expect Google to mine my information, make the occasional misstep, but
to by and large attempt to keep my information safe and secure, because if
they don't, it ain't just mine they release, it's millions of ours, and they
cannot afford that.

I expect my bank to mess up UX occasionally, but to do security reasonably
well, and to not share my personal overmuch, because of the regulatory
framework in Canada: They just cannot mess this up without serious
consequence.

I expect facebook to mine, share, intrude, mess around, and generally do
stupid things. I am never disappointed.

What should I expect of Mozilla Accounts?

Nothing. Nothing at all, because "Accounts" is so not what I think of when I
think "Mozilla". I hear "Mozilla" I think "FireFox", I think half-decent
browser, better than others, adequate email client, neither better nor worse,
I think confusing cross-device UX...

...but do I think trust?

Nope.

And the "occasional bump in response to something shiny" mentioned above means
I never will - at least not without major public rebranding.

If I am going to trust you, you need to convince me you are rock-steady
reliable, and never prone to blowing with the wind.

~~~
sp332
Mozilla is the most trusted Internet company, and you can see the methodology
here
[http://www.ponemon.org/local/upload/file/2012%20MTC%20Report...](http://www.ponemon.org/local/upload/file/2012%20MTC%20Report%20FINAL.pdf)
I trust Mozilla to keep my data safe, not mine it or sell it for profit. I
trust Mozilla to give me control over my data. I trust Mozilla to publish an
open API to access my data from other programs. Those are important things
when I'm considering a cloud storage provider.

------
iSnow
How is this any better or different than one of the other cloud providers? I
read nothing about self-hosting this, nothing about end-to-end encryption,
nothing about Persona.

I understand Mozilla is in a tight place with no access to iOS, little market
share in mobile in general and the new walled gardens erected by Google,
Apple, FB and soon Microsoft. But simply playing copy cat and catchup does not
cut it.

~~~
kijin
Click on "same browser-based encryption". It's a link to an earlier blog post
where they explain the encryption methods used in Firefox Sync. It mentions
end-to-end encryption, too.

~~~
tobehonest
As Mozilla is a US-based organization, is anyone afraid of the NSA/USG
commandeering Mozilla to setup pen-register/password-interception a la
Lavabit?

Only a couple of months ago comments like mine would have been passed off as
tin-foil conspiracy. Now, I think everyone's sense of normal is now tightly
wrapped in tin-foil, encased in lead.

~~~
riquito
Opposite to Lavabit, Mozilla can't decrypt your data, so I can't see this
happening, unless they change the open source client code without anyone
noticing.

~~~
rhelmer
The "change the open source client code without anyone noticing" attack vector
is important too: [https://brendaneich.com/2014/01/trust-but-
verify/](https://brendaneich.com/2014/01/trust-but-verify/)

------
SkyMarshal
Getting a 404 on the linux dl link for FF Auror, required to test this new
feature:

[http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/lates...](http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-
mozilla-aurora/firefox-28.0a2.en-US.linux-i686.tar.bz2)

Same with all the English (US) versions in fact. Other languages appear to
work.

~~~
heycam
Try
[http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/lates...](http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-
mozilla-aurora/firefox-29.0a2.en-US.linux-i686.tar.bz2) instead. Not sure why
the Aurora landing page is not using the right link.

~~~
mnordhoff
The version number was bumped, like, yesterday. Probably just an oversight or
a cached web page.

------
BorisMelnik
Love it. I abandoned the old sync. Figuring out how to set it up was more
difficult than trying to learn Julia.

Only thing I didn't love was the icon, but its beta so hey.

Link to Aurora nightly:

ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-mozilla-aurora/

~~~
emn13
How is Options>Sync>Pair a Device and follow the directions difficult?

I mean, it was definitely too many steps, and it wasn't labelled clearly
enough which device was the master and which was the slave, but those are more
like "users won't bother to find it" troubles, rather than it actually being
difficult if you want to turn it on.

~~~
yeukhon
Please see the presentation. It gives you some clue why the old sync wasn't
user friendly (you probably can guess already).

[https://news.ycombinator.com/item?id=7200425](https://news.ycombinator.com/item?id=7200425)

Basically, many assumed it was a backup program. Recovery was painful. There
was multiple iterations of enhancement before they decided to roll out Fx
Account, it was clear that users didn't like the original Sync.

Fx Account is more than Sync. This is like having a Google account and allows
you to connect to Mozilla services like Marketplace and all instances of
Firefox a user owns.

~~~
emn13
Oh yeah, I totally agree the old sync wasn't friendly - but that's something
totally different. It wasn't intuitive, and it was surprising in that it
really was just a sync, not a backup. Nevertheless, it was still pretty easy
to enable if you actually wanted to.

Easy can still be frustrating (as in why all these steps and which machine is
which, and why do I even need to look up how to do this?), and it can still be
user unfriendly (as in not allowing recovery).

------
graetzer
Does anyone know if there will be a standalone client library for this API? I
build an iOS browser that works with the old sync api and building a client on
my own is probably a bad idea

~~~
holygoat
The storage API is very similar -- a few record extensions, a few headers
changed. The auth layer is completely new, and there's no iOS client library
for it, nor any plans for one that I know of.

~~~
graetzer
Do you think it would be possible to re-use the sync-code from firefox
directly? The library wouldn't have to be iOS specific.

------
johnchristopher
Will I be able to use a Firefox Account in Google chrome ?

------
fibo
Finally! Doh, I need to install Aurora by now

------
Eleutheria
> Does Firefox Accounts provide email? No.

Bummer. I've been waiting for more than ten years to get a firefox email
account.

What's the easiest way to have hundreds of millions of loyal followers that
use your web services on a daily basis?

Email.

That's the starting point, besides the browser.

------
lazyjones
How long till this is integrated with the main sponsor's unloved child, G+?

I've got more pressing matters than yet another account with personal
information and data kept in the US ...

~~~
holygoat
Mozilla Corporation gets paid by Google to offer Google as a search engine to
Firefox users. There's no sponsorship relationship — it's a mutual exchange of
value.

See the corporation's audited financial statements:

[https://static.mozilla.com/moco/en-
US/pdf/Mozilla_Audited_Fi...](https://static.mozilla.com/moco/en-
US/pdf/Mozilla_Audited_Financials_2012.pdf)

