Touch ID instead of Primary Password on macOS
In the Forms and Autofill section of Firefox's preferences I am able to choose: "Require macOS authentication to autofill, view, or edit stored credit cards" which allows me to use Touch ID to view/use/edit stored Credit cards.
Is there a way to enable this also for Logins and Passwords? The only option I seem to have available under Logins and Passwords is to "Use a primary password" It would be much easier if I could also set it to use the macOS authentication.
On Firefox Lockwise for iOS it is already possible to set Touch ID to be used to fill/view Logins, but not on the Firefox Desktop browser.
All Replies (11)
You can set signon.management.page.os-auth.enabled = true on the about:config page.
You can open the about:config page via the location/address bar. You can click the button to "Accept the Risk and Continue".
cor-el said
You can set signon.management.page.os-auth.enabled = true on the about:config page.
Hmm, OK, so I did that but I still only see the "Use a Primary Password" option. Is there anywhere else I have to enable it?
Endret
When you do not setup a Primary Password then Firefox can fallback to the OS authentication, so it is using either PP or OS.
If you have a PP setup then you can clear this PP (i.e. leave it blank).
OK, great, I think I'm almost there. :)
So I cleared the PP. Now, when I try to view or edit the password (in about:logins) it asks me for Touch ID. Great! However, when I'm on a website that requires a password, it simply shows me the available logins to chose from and when I click on one it fills in both, name and password, without asking me to authenticate. So now how do I get it to ask me to authenticate before filling the password (as it does with CreditCard info)? I do have Autofill logins and passwords unchecked in about:preferences#privacy (see attached screenshot for how I've configured it) Or is this a bug?
Thank you very much for your help!
The OS authentication works the same as the Primary Password and this means you grant permission once during a session to unlock the passwords and once unlocked Firefox can show login suggestions without asking to authenticate. You can cancel a request to authenticate to logout and require to authenticate once again. For the Primary Password you can find the login state for the Software Security Device in the Security Device Manager, but I don't know if this is possible for OS authentication.
Hmm, so I tried and restarted Firefox, but still, it doesn't ask me to authenticate. I can simply have it autofill the passwords without an prompt or authentication request. (with the Primary Password set, it does ask me automatically after every restart to authenticate) Under Security devices, this is what I see (see attached).
BTW, so what is the difference between having Autofill logins and passwords checked or unchecked? I doesn't seem to be doing anything for me.
However, even if I manage to get this to work, it would still be much safer to ask me every time, similar to how it works with the CreditCard autofill.
Where would you suggest I submit this as a Feature Request?
The screenshot or the device manager shows what can be expected if you haven't set a Primary Password.
Make sure you use "Firefox -> Quit Firefox" to close Firefox because if you close all open windows then Firefox will still be running, so you won't have to re-authenticate when you open a new window.
I'm afraid, I did choose "Quit Firefox" and made sure to wait till all windows were closed. However, neither directly after reopening, nor upon navigating to a website of which I have stored a login, does it ask for authentication.
The only time it asks for authentication is when I navigate to about:logins and try to reveal a password or edit an entry. This seems to be working fine, because even without restarting, as soon as I close the about:logins tab and reopen it, it requires authentication. But at no other time it asks for authentication.
Should this be considered a bug? And if so, where to report it.
Same problem. It could be cool to have the opportunity to need to use the TouchID before using every password (as Safari), or to use the TouchID instead the Primary Password. I don't think that's a bug, I think that they didn't put this option.
Using a TouchID is only cosmetic and doesn't provide real protection like the Primary Password does by encrypting the logins in logins.json with an extra encryption level.
All you would need to do is running this code:
prompt("Logins",JSON.stringify(Services.logins.getAllLogins()));
Oh wow, I had no idea! So that means we shouldn't use the OS authentication at all?
But then how come it works for saved Credit Cards? They must have clearly figured it out how to use the OS authentication in a safe way, or does it mean it's also not safe?