Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Require device sign in to fill and manage passwords BUT with GPO?

  • 2 replies
  • 0 have this problem
  • Last reply by cor-el

more options

I am working on deploying Firefox with a GPO and I noticed that a saved password can be easily viewed just by going into the password manager. I found a way to disable the password manager all together, but then you can't save passwords. I am look for a way just to Require device sign in to fill and manage passwords as it says so its not just clicking the eyeball to see the password. I saw this article ( https://support.mozilla.org/en-US/kb/firefox-password-authentification-prompt ) which is how I got the description for this and that seems to be exactly what I want, But I cannot find this setting anywhere in the GPO. Anyone know where it is OR perhaps maybe you could add it?

I am working on deploying Firefox with a GPO and I noticed that a saved password can be easily viewed just by going into the password manager. I found a way to disable the password manager all together, but then you can't save passwords. I am look for a way just to Require device sign in to fill and manage passwords as it says so its not just clicking the eyeball to see the password. I saw this article ( https://support.mozilla.org/en-US/kb/firefox-password-authentification-prompt ) which is how I got the description for this and that seems to be exactly what I want, But I cannot find this setting anywhere in the GPO. Anyone know where it is OR perhaps maybe you could add it?

All Replies (2)

more options

awebber1, sorry, can't help with GPO.

Speaking as a user, I am not sure how secure Device sign-in authentication actually is? It might prevent a casual user from seeing passwords inside Firefox itself, but several sites have reported that it won't stop information-stealing malware, as it does not add any encryption to the files that store the passwords on the hard drive? ie, anyone who can access the hard drive can ultimately retrieve the logins independently of the user's Firefox settings?

Someone can correct me if I am wrong, but perhaps a more secure route is to add a primary password, as this adds a second layer of encryption to the hard drive files. And so even if someone did obtain the files they would still need to know this primary password (or brute force it) in order to decrypt the stored logins.

Just something to possibly consider, and I believe that there are GPO options related to primary passwords?

https://support.mozilla.org/en-US/kb/use-primary-password-protect-stored-logins

Modified by TechHorse

Helpful?

more options

I think that Firefox should automatically switch to OS authentication if you aren't using the Primary Password.

You can set this pref via GPO to ensure this. Signon prefs can be set via the Preferences policy.

  • signon.management.page.os-auth.enabled => true

See also the PrimaryPassword policy.

Note that using Biometrics like Windows Hello/PIN instead of the Primary Password to protect the logins is less secure as it doesn't encrypt the logins stored in logins.json like the Primary Password does and having access to logins.json and key4.db and place them in a Firefox profile is sufficient to inspect the logins. Using Biometrics merely makes it harder to access/view passwords in the Password Manager, but Firefox will still be able to fill a login on a webpage without asking. This is also the case if you unlock the passwords via the Primary Password during a session.

Firefox does support OS Authentication feature, but it hasn't been enabled.

Helpful?

Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.