Business Reports for two-factor authentication is noisy

dhalonen
dhalonen
Community Member
in Business and Teams

Guys, MS Office365 has the ability to enforce 2FA and is controlled by those administrators. When 1Password flags an Office365 as not using 2FA is noise. The remedy is for each employee to visit that account/item and set the "ignore" flag (or worse yet, tag the item as "2FA", which somehow conveys to my users this will squelch the noisy warning). As it is, any discussion w/ employees involves a glorious explanation of the design (eyes roll to back of head...) and dismissal of concern.

As an administrator, the ability to eliminate this noise for very well known apps would be super helpful. In short the warning is noise and only introduces friction towards my team striving for conciencious (sp?) practices.

I would love to hear of proposals. :)

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • ag_tommy
    ag_tommy
    edited December 2024

    @dhalonen

    I see you have an open discussion with the team. If you're looking to include this feedback, feel free to include it in your email discussion. I've left this conversation here, so if you're looking for feedback on how other folks work with this, you might get a bit of a discussion going. Cheers!

  • dhalonen
    dhalonen
    Community Member

    Hi Tommy, I'm not sure what action I should take. Please advise.

  • ag_tommy
    ag_tommy

    @dhalonen

    To touch on your subject, the tag 2fa was introduced pre-1Password 8, which has the ability to ignore alerts. It's been around for quite a while. Similarly, I think the tag http also quells the notifications for sites that do not support https. It's been a long time since I used the http tag method. They both go back to the day when folks sought to make those warnings less obtrusive. I used them myself for years.

    Would I be correct in thinking you're looking to disable all notifications of this type as a once-and-done type of situation? If so, I can file a feature request on your behalf. The other option, which is more nuclear, would disable Watchtower itself, and I generally don't recommend folks take that action. It provides beneficial information.

  • dhalonen
    dhalonen
    Community Member

    I'm seeking to reduce/eliminate tasks my employees have to do in order to maintain a strong security posture. Extra administrative effort on their part is a distraction and reduces the perceived value of 1Password & security.

    Whilst adding a tag may be trivial, many have zero interest is additional work or learning new stuff that can be avoided.

    The disabling would be for specific items, such as Office365 or GitHub or ... As an admin, I know MFA is required and the additional notification is not helpful. Notifications for say, a video production site used by our technical writers, would be helpful.

  • Dave_1P
    Dave_1P

    @dhalonen

    Thanks for the reply. I'm happy to file a feature request on your behalf. To clarify, are you enforcing MFA for the logins in question but you're not using 1Password as the authenticator app? Or are you choosing to not secure those accounts using MFA for certain reasons?

    I look forward to hearing from you.

    -Dave

  • dhalonen
    dhalonen
    Community Member

    We enforce MFA as a matter of policy & practice wherever possible. I encourage folks to use 1Password TOTP for almost everything.

    Critical accounts, (email, prod access, ...), are not a good idea (IMO) for 1Password inclusion and for those encourage a separate app.