Mozilla Firefox finally allows you to further protect local access to stored credentials in the browser’s password manager using your device’s login, including a password, fingerprint, pin, or other biometrics.
To be clear, this new feature does not protect against information-stealing malware but rather prevents people with physical or remote access to the device from using the stored credentials without first authenticating with the device.
Like all modern web browsers, Firefox includes a password manager to create unique passwords for every site you visit and then save them in the browser for easier logins in the future.
Google Chromium browsers, such as Google Chrome, Brave, and Microsoft Edge, have included a feature for some time that prevents anyone with local access to your device from viewing saved credentials of filling in login forms.
For example, when attempting to do so on Windows, the browser will open an operating system authentication prompt, asking the user to log in before the credentials will be accessed.
With the release of Firefox 127, Mozilla has finally added a similar feature to the browser.
“For added protection on MacOS and Windows, a device sign in (e.g. your operating system password, fingerprint, face or voice login if enabled) can be required when accessing and filling stored passwords in the Firefox Password Manager about:logins page,” reads the release notes.
Unfortunately, while this protects local access to the password manager, it does not prevent information-stealing malware from stealing stored credentials from infected devices.
Credentials are stored in an encrypted format on disk but are easily decrypted using open-source tools, as the decryption key is stored in the Firefox data.
To further secure Firefox’s password manager, Mozilla suggests setting a Primary Password, which is used to encrypt the password database instead.
As these Primary passwords are only known to you and not stored on your computer, they cannot be exported by threat actors, tools, or malware unless they first brute force the password.
However, primary passwords can still be brute forced, so using a long and complicated password is important to make that task much harder, if not impossible, with current hardware.