Bad email design
I decided I’d sign up for a Firefox account. After setting up a unique email for the account and giving it my details, I was greeted with a dialogue asking me to enter in a validation code snet by email.
The code expired in five minutes.
This is terrible design, because there is no guarantee any given peice of email can be delivered and read within five minutes. For example, as an anti-spam measure my email provider implements graylisting. For previously unseen senders it soft-rejects the initial connection, asking the sender to retry in a few minutes. Properly implemeted mail programs will wait and re-send; spammers are unlikely to do so.
Due to the greylsting, the initial email took twenty minutes to arrive. I entered the six digit verification code, which unsurprisingly failed. However it offered to send another one. I let it do so, and that email arrived within three minutes. But the new verification code failed as well.
When I went back to check the two emails, they both had the exact same sending time. It’s possible, therefore, that Firefox never reset the five-minute timeout when it sent the new email.
Eventually I simply shut down Firefox altogether and restarted the process. This time it sent a different email with a very long verification link. There was no indication in the email as to how long that link was active, but I was pleased to see it worked.
Wait–they want my mobile number?
Then Firefox asked me for a mobile phone number. As of this writing, the diplayed page is here. (Given the fickle nature of the web, there’s no guarantee this URL will work for more than about six months.)
What?? This is a company that’s supposedly dedicated to privacy, and it wants my mobile number?
Fortunately the truth is less scary than that. The page’s design highlights the request for a mobile number and its attendant “Send” button. However, at the top of the page (in rather bold text, I should add) is You did it! You’re signed in. So I am signed in; the request for a mobile number is purely optional and exists only to send a link for a Firefox app of some description to the phone.
Well, am I signed in or not?
Another link on the “You’re signed in page” says “Start Browsing”, and it redirects to the Firefox Accounts page at mozilla.org. And what’s prominent on that page? A request to Join Firefox followed by “Enter your email address to get started” and “Already have an account? Sign In”. But I have signed in. This page simply doesn’t recognize the fact.
In a way it’s nice to see they’re not quietly dropping cookies that get shared between the Firefox and Mozilla sides of the organization, but it makes for a rather jarring experience.
It turns that the Firefox Account can be used to access other parts of the Firefox and Mozilla ecosystem, but they don’t operate it as a single signon the way Google does with its signon and services. Therefore for each service I want to access with a Firefox account I need to sign on separately. It’s not a bad dea, but it’s not explained in any way, shape, or form by Mozilla or Firefox.