Mozilla Connect

Thanks for submitting an idea to the Mozilla Connect community! Your idea is now open to votes (aka kudos) and comments.

Bring back and improve upon Firefox Lockwise

Firefox Lockwise should be brought back. Keeping credentials separate from the browser is part of security best practices, and so it would be great if Lockwise could be brought back in some way. Also, given the recent changes at Twitter, lots of users are looking for 2FA authenticators, and so building this into Lockwise would also create an opportunity for Mozilla to gain a share of that market.

(Note: a similar idea has been merged into this thread)

Hey all, thanks for your ideas! Can you elaborate a bit more on what makes a separate Lockwise made by Mozilla more secure than Firefox made by Mozilla? Is it a feeling of extra safety or feeling of unsafety of a browser or specific attacks that can be prevented that way?

 @ADGrimes i agree with the 2fa authenticators but not that it would be build in the password manger. Why i say it is because of a article i read about someone with the password manager bitwarden. In bitwarden you can save passwords but also 2fa in it. The danger about that is if your bitwarden account got hacked. Then the hacker haves access to your passwords but also the 2fa and you don't want that to happen.    

  Hello @Serg ,  The reason is that it is more secure. let's say you are logged in with your firefox account on your firefox browser. You have saved your crunchyroll account email and password into you firefox browser. The hacker or thief only needs to click on fill email and password. He haves then access in your crunchyroll account. But if you use a password manager like bitwarden then the hacker or thief first needs access to your master password of your bitwarden account to get the email and password of your crunchyroll account. Yes you can say always use 2fa on every account but not every person use that or not every service/website gives the option for 2fa. Look it can be just me but my feelings say that it is safer to use password managers then have it saved into your browser. If you think that there is no difference can you explain then why or if i missed something important in my example. 

@SergThanks for your message. I'm afraid I'm not skilled enough technically to know about specific attacks that this may resolve. However, everything I read online from every source tells me that it is best to use a separate application for credentials.

Being in a separate dedicated application like Lockwise would I assume mean that credentials would not be at risk of browser vulnerabilities and attacks.

@JeppieI hear you, looks like you want this Optionally protect filling of saved logins with OS authentication (including biometrics) to be implemented sooner. There is also Use a Primary Password to protect stored logins and passwords (although I'm not thrilled about it). Will that help?

There is nothing wrong with separate password managers, they exists and they do their job well. But if we can remove the connection between password manager and browser, we remove extra attack surface.

@ADGrimes  I can agree with the part that it's best to use any credential management than to reuse passwords or rely on strong memory and randomness of our brains. Standalone or integrated... it depends. There is no right or wrong answer here.

If the browser is compromised, then no matter how good credential management is, user will fill data from secure box into compromised box. Attackers are patient, they don't popup "Hey, I've stolen your data" alerts and attacks can run for years unnoticed.

If the device is compromised, then it does not matter how good the app is. This is why the most healthy thing you can do is to make sure your OS is up to date, that your biometrics are on when present, that you lock device before leaving it unattended.

@Sergthank you for answering. I have one more question. Is Mozilla interested in passkeys?

Anytime @Jeppie, I can point you to the Bug 1792433 "Implement support for synced application credentials (passkeys)"  to track how passkeys work is happening.

Would be nice if Lockwise returned with a complete set of features for a password manager. It would be great to have relay integration with Lockwise as well. Make Lockwise a true password manager and premium feature that can be used across apps and platforms. 

Yeah, it's a shame that Firefox Lockwise was removed as a separate service. Integrating the password manager with a browser makes sense, but it also limits its use - there are situations when I want access to a password without opening the browser, particularly on mobile.

Google has recently added the option of a desktop shortcut for Google Password Manager, so it might look like they're trying to make it a little more separate from the browser itself. Mozilla could perhaps reuse the Lockwise branding (about:logins isn't exactly a great name), and make it so that you can access it from a shortcut outside of the browser, as a start.

Though obviously, I think that returning Lockwise as a separate app with full password manager features would be great and is a market that could be explored by Mozilla, particularly since other longstanding players have had reputation issues - and Mozilla as a brand is easily associated with privacy.

Lockwise was just nice and simple. I was planning on switching to Lockwise once it had implemented missing features like saving arbitrary text notes/memos with a set of credentials (recovery keys, pin numbers, etc) and had better password generation options.

Its hard for any normal user to set up Firefox on mobile to use as a password manager for the whole phone. And what if someone needs a password manager but hasn't decided to switch to Firefox for browsing yet?

Plus, password management seems to have good enterprise sale possibilities as seen with BitWarden, the other free/libre (open source) option sells functionality like credential sharing, or file attachments service like the now-sunset Firefox Send.