search

mozilla / policy-templates

Policy Templates for Firefox
Mozilla Public License 2.0
1.15k stars 415 forks source link

Prevent users from protecting their password using the device password #1148

Closed htcfreek closed 3 months ago

htcfreek commented 3 months ago

Is there a policy or preference to disable the feature "secure access to passwords with device credentials"? I like to disable this feature bot not disable the Master Password.

Firefox documentation for reference: https://support.mozilla.org/en-US/kb/firefox-password-authentification-prompt

htcfreek commented 3 months ago

@mkaply I did some investigation. There is no simple preference value I can set. This is controlled by an encrypted string preference that has to contain the encrypted text "opt out".

Is it possible to implement a policy to disable this feature?

(Use case: We backup our Firefox profile in case the computer crashes. And I worry that the password can't get decrypted on the replacement computer. So I like to disable this feature.)

mkaply commented 3 months ago

Yes, I've reached out to the developer to see if we can get a policy done.

The "opt out" encrypted text unfortunately is machine unique so there's no way to set it.

htcfreek commented 3 months ago

Yes, I've reached out to the developer to see if we can get a policy done.

perfect

The "opt out" encrypted text unfortunately is machine unique so there's no way to set it.

I expect that.

htcfreek commented 3 months ago

The "opt out" encrypted text unfortunately is machine unique so there's no way to set it.

@mkaply Does this mean copying the FF configuration/profile to a new computer/user profile will breaks the preference setting value and enables the feature? If yes, this will be a very big problem for our backup system which only copy-paste the FF profile directory.

Can the new policy get priority to come with a minor release of the ESR and not with the next major ESR in 2025?

mkaply commented 3 months ago

I need to test it, but we believe that copying to a new computer should work because the crypto that's used is in the cert DB which is a part of the profile.

mkaply commented 3 months ago

I tested and verified that as long as DB files are backed up with the profile (which they always should be), it will work fine.

mkaply commented 3 months ago

I've opened a bug here to follow this:

https://bugzilla.mozilla.org/show_bug.cgi?id=1914189