Watchtower for Two-Factor Auth Not Catching H&R Block

bmkaiser

I just realized today that HR Block supports a software token for two-factor auth! This is reflected on twofactorauth.org, but Watchtower on macOS, iOS, and 1password.com does not alert me that I haven't set up 2FA.

---

1Password Version: 7.4.3
Extension Version: 7.4.3
OS Version: macOS 10.15.4
Sync Type: iCloud

ag_ana

Hi @bmkaiser!

I confirm that I was able to reproduce this behavior, so I have opened an internal ticket to let our developers know about this. Thank you for reporting this!

ref: dev/web/watchtower.1password.com#28

bmkaiser

Thank you, @ag_ana! If I were a betting person, I'd guess it's caused by H&R Block not having public documentation. I know that Watchtower usually links you to the docs page that's listed to make it easier for people to set it up

Ben

Thanks for the additional information @bmkaiser. That may very well be a variable here. :+1: :)

Ben

ag_ana

@bmkaiser:

I just wanted to send you a quick update that this issue should have been now fixed :) Can you please test this website once again in your 1Password app and see if the Watchtower behavior changed?

bmkaiser

@ag_ana

That's great news! And thank you so much for the follow up on this thread :)

I'm testing by creating a test H&R Block account that has a username, password, and website. So far in 1Password for iOS, 1Password for Mac, and 1Password.com, Watchtower hasn't registered that the 2FA eligible account is missing a OTP field. Does Watchtower run on some sort of schedule to identify accounts that are vulnerable? I just created the test account earlier today.

ag_ana

@bmkaiser:

As far as I know, notifications don't happen on a schedule, 1Password should recognize a website as soon as you add it. Can you please confirm what version of 1Password for Mac and 1Password for iOS you are currently running, so I can test them and make sure everything looks ok? Thank you!

bmkaiser

@ag_ana:

I checked for updates across the board and everything is updated (also screenshots below from macOS):

• 1Password for macOS: 7.5 (70500003)
• 1Password for iOS: 7.5.2

ag_ana

@bmkaiser:

Thank you for the confirmation! You are running the latest version of the apps already, which is good. I will reopen our internal issue so we can take another look at this specific website and see why it decided not to show that message ;)

ref: dev/web/watchtower.1password.com#28

ag_ana

@bmkaiser:

We have investigated this further, and here is our final update: the twofactorauth.org data is missing a link to the 2FA documentation for H&R Block, which gets it excluded from our Watchtower list. The link will have to first be contributed into twofactorauth.org and then it will show up in Watchtower.

The problem is that it looks like H&R Block might not have any public documentation of this feature.

bmkaiser

Thank you, @ag_ana, that was my suspicion initially. It's too bad they don't have any public documentation.

ag_ana

You are welcome @bmkaiser :+1: As soon as the documentation becomes available, Watchtower should update accordingly without having to do anything else though, at least that :)