Mozilla Firefox can now secure access to passwords using device credentials

Mozilla Firefox finally allows you to further protect local access to credentials stored in your browser’s password manager with your device login, including your password, fingerprint, PIN, or other biometrics.

To be clear, this new feature does not protect against information-stealing malware, but rather prevents people with physical or remote access to the device from using stored credentials without first authenticating to the device.

Like all modern web browsers, Firefox includes a password manager that creates unique passwords for each website you visit, then saves them in the browser to make it easier to log in in the future.

Google Chromium browsers such as Google Chrome, Brave, and Microsoft Edge have for some time included a feature that prevents anyone with local access to your device from viewing your saved credentials when filling out login forms.

For example, when trying to do this on Windows, the browser will prompt you for operating system authentication, asking the user to log in before you can access your credentials.

With the release of Firefox 127, Mozilla finally added a similar feature to the browser.

“For additional protection on macOS and Windows, a device sign-in (e.g., operating system password, fingerprint, face or voice login, if enabled) may be required when accessing and completing passwords stored in your browser’s Password Manager Firefox on about:logins,” reads the release notes.

Unfortunately, while this protects local access to the password manager, it does not prevent information from being stolen by malware stealing stored credentials from infected devices.

The credentials are stored on disk in an encrypted format, but can be easily decrypted using open source tools because the decryption key is stored in Firefox data.

To further secure your Firefox password manager, Mozilla suggests setting a primary password, which is instead used to encrypt your password database.

Because these master passwords are known only to you and are not stored on your computer, they cannot be exported by threat actors, tools, or malware unless they brute force the password first.

However, master passwords can still be brute forced, so using long and complex passwords is important because this task is much more difficult, if not impossible, with current hardware.