I've seen a rise in websites adopting the practice of non-consensually resetting users' passwords, even if that user is protected by 2FA, if there is suspicious activity in their account or their password has been found elsewhere. This has lead to a type of Denial of Service attack that can permanently lock people out of their accounts. I'm worried Mozilla might implement this vulnerability into their platform in the belief that it will make the website more secure.
Reset Barraging is a tactic used by hackers to break into accounts or prevent user access to said accounts who are protected by 2FA on websites that engage in non-consensual password resetting.
With how advanced the tools and resources hackers use have gotten, especially with the advent of A.I. technologies, passwords are effectively useless if you've been targeted. This is why websites like Microsoft and Pixiv have been working to get rid of passwords altogether. Hackers can easily bust through even the most complex alpha-numeric codes making breaches almost instantaneous. For an account with 2FA, this isn't an issue, unless the website has a security policy of automatically resetting a user's password if suspicious activity is detected or said users password is detected elsewhere. This has led to a Denial or Service attack type where hackers will set up a system of locking that user out of their account by continuously trying to log into their account with the correct password (thanks to their tools). This makes the over-relied upon solution of "reset your password" not only useless but harmful. I've lost access to my Paypal, Facebook and Twitter accounts due to Reset Barraging.
I wanted to raise awareness about this issue before it becomes an issue on Mozzila/Firefox. I hope Mozzila will NOT implement this "security policy" in any future updates.
@Jon
No Man Left Behind!
