Watchtower not flagging sites with 2FA available

Ind3X
Ind3X
Community Member
in Mac

I noticed this evening that Watchtower hadn't flagged sites where I didn't have 2FA enabled, even though 2FA is available on the site. I noticed this when perusing a list of 2FA enabled websites from another source. I haven't 'ignored' or hidden any notifications in 1password, so I guess this is a bit broken?

Here are some example sites:

Asos.com
Booking.com
Canva.com
Codepen.io
Displate.com
easyJet.com

None of these sites were listed by Watchtower in the Mac or iOS versions of the app 🤷🏻‍♂️. Is there a fix for this issue already or is this a bug that needs looking at?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • Dave_1P
    Dave_1P

    Hello @Ind3X! 👋

    Thank you for reporting that certain sites aren't being flagged as having 2FA available. 1Password's Watchtower uses the repository at https://2fa.directory/ to know when a site supports TOTP-based two-factor authentication. It then uses this knowledge to present users with a notification to turn on 2FA for that website.

    I've taken a look and I see that every website in your list but Canva.com is listed as not supporting TOTP-based 2FA on https://2fa.directory/. If this is in error then I recommend submitting a report here: Contributing to 2fa.directory

    Canva.com

    I do see that https://2fa.directory/ does list this website as supporting 2FA in certain regions and I've flagged this to our development team to look into further. I'm sorry for the inconvenience.

    Even if a site isn't flagged by Watchtower, you can use 1Password as an authenticator app for that site as long as it supports TOTP-based two-factor authentication: Use 1Password as an authenticator for sites with two-factor authentication

    -Dave

    ref: dev/web/watchtower.1password.com#181

  • Ind3X
    Ind3X
    Community Member
    edited August 2024

    Apologies for the delayed reply @Dave_1P.

    You are correct, the 2fa site is often incorrect and I plan to submit PR's to the 2fa.directory repo myself to fix some missing or incorrect info stated on their site.

    I do have a much bigger list than I posted above and there are definitely some mismatches between 1Pass watchtower/2FA.dir for some sites, though.

    Oddly, the Raycast extension which highlighted some 2FA sites to me which were not flagged in 1Password, also pulls it's data from https://2fa.directory/ and the results in that extension differ from the results in 1Password, though that ext also reports some correct, incorrect/mismatched info compared to the 2fa.dir site. Something is not working well somewhere and I believe it is potentially coming from all 3 sources somehow (the Raycast ext (Search 2FA Directory), Watchtower and also the https://2fa.directory/ site itself, (or their API's!?))

    Is 2fa.directory also the source for "passkeys available" reports in Watchtower? I noticed today that GitLab was not flagged in Watchtower as having a passkey available even though a passkey can be setup on GitLab. I'm also not sure if this is due to GitLab/2FA.dir not explicitly stating passkeys being available, rather stating that WebAuthn/Hardware devices are supported. I'm not sure where Watchtower in 1Password gets its passkeys data from? If it's 2fa.directory, then something in their API or 1Password is broken. I'm guess it's more likely that the passkeys report in Watchtower is generated via your passkeys directory though?

    One potential reason GitLab may not have been flagged for having a passkey available is that I have it tagged with '2FA' in 1password to avoid the banners regarding 2FA being available where I've used a 3rd party app for tokens. I believe the "'tag it with '2FA'" solution was provided by your team long before passkeys even existed. If that is a reason for the non-flagging, then it would be great if that could be somehow resolved in a future release so that passkeys and 2FA banners are 'cleaned up' with different tags. This would give a better indication in watchtower as to which sites can now use passkeys, even if they are currently set up with TOTP.

  • Ind3X
    Ind3X
    Community Member

    You can scrap much of what I said above. I've just realised that the Raycast ext I mentioned just shows everything on the https://2fa.directory/ site, regardless of whether they support 2FA or not, so it displays many entries with links to 'request' the site supports 2FA, which I thought it filtered out, hence the confusion over seeing entries in that ext which are not flagged in Watchtower.

    Sorry about that 🤦🏻‍♂️

  • Dave_1P
    Dave_1P

    @Ind3X

    Thanks for the followup post about Raycast, I'm glad that you were able to solve that mystery.

    Is 2fa.directory also the source for "passkeys available" reports in Watchtower? I noticed today that GitLab was not flagged in Watchtower as having a passkey available even though a passkey can be setup on GitLab.

    Watchtower uses Passkeys.directory for information on passkey availability. I just created a test item for Gitlab.com and I see the Watchtower passkey banner:

    image

    The 2FA tag shouldn't affect the passkey banner. Is it possible that you ignored the passkey banner in the past? You can check your ignored warning here:

    1. Open and unlock the 1Password for Mac desktop app.
    2. Click Watchtower.
    3. Scroll down and click Show Ignored Alerts.
    4. Click on the relevant item and then click Restore Alert.

    Let me know if that doesn't work.

    -Dave

  • Ind3X
    Ind3X
    Community Member
    edited September 2024

    @Dave_1P

    Thanks for testing. I honestly don't believe I've ever ignored an alert (though that's not entirely impossible).

    I just checked and I don't have the Show Ignored Alerts button on the Watchtower page 🤔. Would that usually be missing If I'd not ignored banners in the past?

    ...and BTW, you tested GitHub, not GitLab. It looks like we both need more coffee from time to time 😂 (or we've already had too much 🤷🏻‍♂️) 🤣

  • Ind3X
    Ind3X
    Community Member
    edited September 2024

    Watchtower uses Passkeys.directory for information on passkey availability.

    So it does, sorry, I'd mistaken that site as a 1Password site due to the footer at the bottom (img below), though I also see the 'Passage' banner at the top of the page too, 1Password (or is it still AgileBits?), merged / announced a partnership with that company at some point, right? I can see that GitLab.com isn't listed on Passkeys.directory, so I guess that answers that query 🙄

    Is Passkeys.directory maintained independently, or does it source its data from elsewhere, such as passkeys.2fa.directory? GitLab is listed on passkeys.2fa.directory, hence the question.

    Apologies for the double post

  • ag_tommy
    ag_tommy

    Passkeys.directory is a community-driven index of websites, apps, and services that offer signing in with passkeys. Feel free to make a contribution. To the site we welcome all submissions.

    Agilebits is the parent company of 1Password. Yes, Passage is a 1Password company.

    Passwordless Authentication Powered by Passkeys | Passage by 1Password