Proposal: PasswordManager on FxOS

[Alive]

Hi folks,

I'd like to have a password manager inside our operating system to store and manage passwords you'd typed in the FxOS.

This is an old item in my mind beyond FxOS v1.0 when I sadly found our phone crashed when we visited mozilla phonebook.
(It had been fixed long time ago so we support HTTP authentication well now.)

Again, think about this case:
EVERY time you visit https://phonebook.mozilla.org/, you need to retype the password :)
Other than the case, there're tons of pages on the web having a password field.

Today I discussed with Paul, from security team, and be glad to know he also loves this idea.
And what's not good is, it sounds like we are still far away from the password manager.

1A. We need a stronger password for lock code. It'd be used for the key for all your passwords. (from Paul)
1B. We need to change the way storing lock code. No settings.
2. We need some way to encrypt.
3A. We need to store the password somewhere safely.
3B. We need API to store the password. This API shall be only used by gaia system app IMHO?

Item (1A) Is a pure gaia work but some of my concern now are:
* Need UX (Hello UX ww!)
* We'd love to have a standalone lockscreen app,
and I wonder a standalone app would break the security, though this is not in our case.
Item (2) and (3) I'm afraid I need gecko-er's chime in here.

The password storing on desktop browser is noticed by the world due to Chrome browser just put the plain password and you could easily see it in the setting.
IMO we won't want the plain password….?, and "encrypt" in gecko now is in a little ambiguous state: Which way and how to do?
I'm still very young to this area so I don't have exact idea what we shall do ;)

I believe this post is just a small step to reach what we finally want to have,
so I am appreciated if anyone stands up to push this or states any of your opinion!

Thanks for reading :)
Alive
--
Alive C. Kuo, Front-end Engineer, FirefoxOS, MoCo. Taiwan, Taipei office.
al...@mozilla.com

[Alive]

Hey!

Might be.

AFAIK FxOS Account/Person is just one of the ways to identify the user,
but we could not force every web page uses this service right? There's still tons of ways of authentication on the internet.

For sure it does help and comfort the life of the user, so thanks for anyone working on FxOS Account!

-Alive

Natalia Martinez-Winter <nat...@mozilla.com> 於 2013/12/5 下午4:35 寫道：

> Hi,
>
> I don't know much about those services but I thought we wanted to integrate Firefox Persona and Accounts in Firefox OS. Do those services provide the equivalent "password manager" service in the end ? (in the cloud)
>
> latest status I found is here : https://wiki.mozilla.org/Identity/Department_Status/2013-11-22
>
>
> Natalia Martinez-Winter

> _______________________________________________
> dev-gaia mailing list
> dev-...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-gaia

[Stephany Wilkes]

Just a few notes on whom to include here...

John Gruen is UX on FxA (Firefox Accounts).

Tauni Oxborrow and Erin Lancaster manage Identity, FxA, and Where's My Fox work.

They should all be kept in the loop on this.

S.

[Jan Jongboom]

If we can just enable extensions for Firefox OS like we have in FF for Android we could solve this problem there already right? On Android all my passwords are in LastPass and that works great.

[Natalia Martinez-Winter]

Hi,

I don't know much about those services but I thought we wanted to integrate Firefox Persona and Accounts in Firefox OS. Do those services provide the equivalent "password manager" service in the end ? (in the cloud)

latest status I found is here : https://wiki.mozilla.org/Identity/Department_Status/2013-11-22


Natalia Martinez-Winter

----- Original Message -----
From: "Alive" <al...@mozilla.com>
To: "dev-webapi" <dev-w...@lists.mozilla.org>, dev...@lists.mozilla.org, "dev-gaia" <dev-...@lists.mozilla.org>
Cc: "Paul Theriault" <pther...@mozilla.com>
Sent: Thursday, 5 December, 2013 4:20:24 PM
Subject: Proposal: PasswordManager on FxOS

[Fabrice Desré]

On 12/05/2013 01:49 AM, Jan Jongboom wrote:
>
> If we can just enable extensions for Firefox OS like we have in FF for Android we could solve this problem there already right? On Android all my passwords are in LastPass and that works great.

Which kind of extension support do we need for that? There is
user-script support in the pipeline, would this be enough?

Fabrice
--
Fabrice Desr�
b2g team
Mozilla Corporation

[Ehsan Akhgari]

On 12/5/2013, 3:20 AM, Alive wrote:
> Hi folks,
>
> I'd like to have a password manager inside our operating system to store and manage passwords you'd typed in the FxOS.
>
> This is an old item in my mind beyond FxOS v1.0 when I sadly found our phone crashed when we visited mozilla phonebook.
> (It had been fixed long time ago so we support HTTP authentication well now.)
>
> Again, think about this case:
> EVERY time you visit https://phonebook.mozilla.org/, you need to retype the password :)
> Other than the case, there're tons of pages on the web having a password field.
>
> Today I discussed with Paul, from security team, and be glad to know he also loves this idea.
> And what's not good is, it sounds like we are still far away from the password manager.
>
> 1A. We need a stronger password for lock code. It'd be used for the key for all your passwords. (from Paul)
> 1B. We need to change the way storing lock code. No settings.
> 2. We need some way to encrypt.

Can we use the existing encryption facility that we use when a master
password is set?

> 3A. We need to store the password somewhere safely.
> 3B. We need API to store the password. This API shall be only used by gaia system app IMHO?

Do we need to allow other applications to access this safe password
store? I think the answer is no, and if that's the case, I'm not
convinced that we need to design a general purpose API here.

> Item (1A) Is a pure gaia work but some of my concern now are:
> * Need UX (Hello UX ww!)
> * We'd love to have a standalone lockscreen app,
> and I wonder a standalone app would break the security, though this is not in our case.
> Item (2) and (3) I'm afraid I need gecko-er's chime in here.
>
> The password storing on desktop browser is noticed by the world due to Chrome browser just put the plain password and you could easily see it in the setting.

We do the same, except that we let people encrypt their passwords DB
using a master password, and we prompt for that when you try to access
your password. I find this very fragile, and I'm not sure if we want to
repeat this in Firefox OS. We should be able to solve this problem by
1) not exposing plaintext passwords anywhere in the UI, and 2)
encrypting them with a master password. I'm not sure what the UX for
entering that password would look like.

Another thing to note is that we probably don't want to expose the
password DB in the child process. All requests to access and/or modify
this DB should be forwarded to the parent process.

Cheers,
Ehsan

[Adam Rogers]

All, I have added Password Manager functionality to the feature backlog for Firefox Accounts. While there are clearly many questions to answer, this is something that we are interested in perusing. At this point, due to a significant number of unknowns, there is no target release specified for these features.

Thanks,

Adam

----- Original Message -----
From: "Ehsan Akhgari" <ehsan....@gmail.com>
To: "Alive" <al...@mozilla.com>, "dev-webapi" <dev-w...@lists.mozilla.org>, dev...@lists.mozilla.org, "dev-gaia" <dev-...@lists.mozilla.org>
Cc: "Paul Theriault" <pther...@mozilla.com>

_______________________________________________
dev-b2g mailing list
dev...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-b2g

[Alive]

Extension sounds another big world to me.
The extension should have some UI and I wonder who would render the UI of those extensions on FxOS?

Fabrice Desré <fab...@mozilla.com> 於 2013/12/6 上午7:21 寫道：

> On 12/05/2013 01:49 AM, Jan Jongboom wrote:
>>

>> If we can just enable extensions for Firefox OS like we have in FF for Android we could solve this problem there already right? On Android all my passwords are in LastPass and that works great.
>

> Which kind of extension support do we need for that? There is
> user-script support in the pipeline, would this be enough?
>
> Fabrice
> --

> Fabrice Desré
> b2g team
> Mozilla Corporation

> _______________________________________________
> dev-b2g mailing list
> dev...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-b2g

[Ehsan Akhgari]

Thanks for the note, Adam. Where is the discussion about this happening
(assuming that it has started yet)?

Thanks!
Ehsan

[Adam Rogers]

Hi Ehsan,

Formal discussions have not started yet, but I have been taking notes on threads like this. I'm happy to include you in the meetings as we move to formalize the ideas into actions.

[Ehsan Akhgari]

On 12/6/2013, 1:28 PM, Adam Rogers wrote:
> Hi Ehsan,
>
> Formal discussions have not started yet, but I have been taking notes on threads like this. I'm happy to include you in the meetings as we move to formalize the ideas into actions.

Yeah, I'm somewhat interested in this, so I'd appreciate that!

Cheers,
Ehsan

[Jan Jongboom]

I don't really know what I want. Just the stuff that we have in FF for
Android? Are those extensions or user scripts?

On Fri, Dec 6, 2013 at 5:01 AM, Alive <al...@mozilla.com> wrote:

> Extension sounds another big world to me.
> The extension should have some UI and I wonder who would render the UI of
> those extensions on FxOS?
>
> Fabrice Desré <fab...@mozilla.com> 於 2013/12/6 上午7:21 寫道：
>
> On 12/05/2013 01:49 AM, Jan Jongboom wrote:
>
>

> If we can just enable extensions for Firefox OS like we have in FF for
> Android we could solve this problem there already right? On Android all my
> passwords are in LastPass and that works great.
>
>

> Which kind of extension support do we need for that? There is
> user-script support in the pipeline, would this be enough?
>
> Fabrice
> --
> Fabrice Desré
> b2g team
> Mozilla Corporation

> _______________________________________________
> dev-b2g mailing list
> dev...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-b2g
>
>

[Fabrice Desré]

On 12/09/2013 01:44 AM, Jan Jongboom wrote:
> I don't really know what I want. Just the stuff that we have in FF for
> Android? Are those extensions or user scripts?

FF for Android has old style extensions. We'll never have them on b2g.
But I'd like to understand what a lastpass extension needs.

[Reuben Morais]

On Dec 9, 2013, at 13:59, Fabrice Desré <fab...@mozilla.com> wrote:
> On 12/09/2013 01:44 AM, Jan Jongboom wrote:
>> I don't really know what I want. Just the stuff that we have in FF for
>> Android? Are those extensions or user scripts?
>
> FF for Android has old style extensions. We'll never have them on b2g.
> But I'd like to understand what a lastpass extension needs.

A LastPass dev is of course the ideal person to answer this, but from my experience with the extension, a minimum viable product would need access to forms and HTTP auth dialogs, and some minimal UI for browsing and editing saved passes (worst case they can open https://lastpass.com/mobile/ in a tab).

-- reuben

[Axel Hecht]

On 12/9/13 8:59 AM, Fabrice Desré wrote:
> On 12/09/2013 01:44 AM, Jan Jongboom wrote:
>> I don't really know what I want. Just the stuff that we have in FF for
>> Android? Are those extensions or user scripts?
>
> FF for Android has old style extensions. We'll never have them on b2g.
> But I'd like to understand what a lastpass extension needs.
>
> Fabrice
>

Are you sure that we shouldn't make use of the gecko add-on
functionality to hook up extensions to gecko?

There seems to be much functionality in terms of compatibility, startup,
updates, hooks etc that we'd need to reinvent if we're going for
something else.

I do see that addons trying to actually tweak or extend gaia might want
something else.

Axel

[Frederik Braun]

On 09.12.2013 16:59, Fabrice Desré wrote:
> On 12/09/2013 01:44 AM, Jan Jongboom wrote:
>> I don't really know what I want. Just the stuff that we have in FF for
>> Android? Are those extensions or user scripts?
>
> FF for Android has old style extensions. We'll never have them on b2g.
> But I'd like to understand what a lastpass extension needs.

A WebActivity that returns a text for a given input tag name + form URL?

[Paul Theriault]

I don't think Web Activities are appropriate here - apart from the awkward UX, it wouldn't be possible for the password manager app to know that the requesting app wasn't being malicious. (or I can't think of how it would do this, maybe others can).

One approach I was pondering was creating a keyboard app that remembered your passwords. It's not as seamless, as the user would need to tap a password field prior to the password being populated. But maybe it is currently possible without any additional APIs ? (Just a half-baked idea really)

This of course doesn't solve any of the requirements listed in the first email around protecting passwords in storage. Note my comments around a stronger login password are only relevant if you plan on using a key derived from the user's passcode to encrypt passwords at rest. There probably are other alternatives (like encouraging the user to set a "Password Manager Password" on first use etc).

- Paul