Mozilla Mandates Two-Factor Authentication for Firefox Extension Developers

Mozilla has announced that starting in 2020, developers of Firefox extensions will be required to use two-factor authentication (2FA) for their accounts. Specifically, this applies to accounts on the Mozilla Add-Ons portal.

The company explained that this step is being taken to enhance user security, as 2FA helps effectively prevent potential attackers from taking control of legitimate add-ons and their users. This new security measure is aimed at protecting against supply chain attacks.

If a developer’s account is compromised, attackers can distribute malicious, updated versions of hijacked extensions to users. Since add-ons in Firefox have highly privileged access, cybercriminals can use a compromised extension to steal passwords, authentication and session cookies, spy on users, or redirect victims to phishing pages or malware sites.

Interestingly, in recent years, there have been no recorded cases of Mozilla Add-Ons developer accounts being hacked to hijack Firefox extensions. However, there have been many such incidents involving Chrome extensions. For example, last year hackers actively targeted extension developers, and similar incidents continue to occur.