How to prevent false "Inactive 2FA" messages in Watchtower 2.0?
Watchtower 2.0 is really nice!
However, I have at least 1 false "Inactive 2FA" message for an account of a service that uses SMS as the second factor. It looks like you only check whether an OTP is configured?
How can I prevent false "Inactive 2FA" messages for services that use SMS (or YubiKey, etc.)?
Sync Type: 1password.com
Comments
-
@XIII: Indeed, we're very intentionally ignoring SMS "2FA" because it's not only incredibly insecure, but also that 1Password can't help you by generating codes for these sites. Between those, I don't expect we'll be changing this. But we'll continue to evaluate things, especially with raged to Yubikey. I'm just not sure how 1Password could be involved with that.
0 -
Then maybe don’t list items in Watchtower if SMS is the only second factor offered?
False positives might make people ignore results (like many people close pop ups without even reading them).
Watchtower now lists them as actionable, while I actually already did all I could do, so I “must” ignore it myself.
What’s worse: every time I run Watchtower I have to think about this again; it’s wasting mental energy.
0 -
Here's my list of sites I had to 2FA tag for exclusion:
- Sykpe (since it uses the Microsoft Live login, and I have 2FA setup there, my Skype login entry won't have a TOTP).
- USAA
I also have some other project-centric Login entries for Sourceforge (where I do have 2FA enabled), but sine they are separate URLs, with separate username/passwords for other areas in Sourceforge (e.g. mailing lists), they show up as missing. There's the main website login for Sourceforge, and then a project on Sourceforge can have mailing lists that use the Mailman mailing list component which has login/passwords, but has no 2FA.
0 -
Ha, I was actually already using the tag “2fa”, but forgot to add it for this particular site...
I’d rather PM you the site, as I don’t want to post it on a public forum.
How can I do that?
0 -
I'll shoot you a private message here in a minute. :)
Thanks. Reply sent.
0 -
:) :+1:
0 -
Hello - an addition to the list of "problematic sites":
There is a domain registration site called Iwantmyname.com. It does offer 2FA and is recognised by 1Password, however it uses the authy service only to provide this function.
I find no way to set that site up to use regular TOTP and so it becomes falsely reported by watchtower as not setup for 2FA.
(Came here to find the method to address this - have seen the "2FA" tag option mentioned and that addresses the issue for me for the moment)
0 -
@sphardy: Indeed, I'm not seeing that they're registered on https://twofactorauth.org so they won't show up in 1Password. I'm not sure I understand how they could exclusively use Authy though. As far as I know, Authy just uses the TOTP standard, same as 1Password. But then there could just be something I don't know. How do you set it up? QR code? Text strong?
0 -
@brenty: That "iwmn" site does in fact show up in 1 Password as you can see here in Beta 19 (I think)
You can see below from the screen grab of the authy app on my phone how that site is listed specifically as an "Authy Account". Compare that to my Wordpress account listed as an "Authenticator Account" which uses regular TOTP and which I have successfully stored in 1Password also
I used authy prior to 1Password supporting TOTP and now as a TOTP backup to 1Password. This is one of the sites I setup before 1Password had TOTP support. The configuration is made via QR code in the usual way but exclusively requires the Authy app. I have since tried disabling and re-enabling 2FA on the site to to see if this changes anything, but found that my previous configuration was simply restored without me needing to scan any code or enter any info. So I found no way to get this 2FA into 1Password
It appears that these authy accounts offer automatic backups of the configuration and other custom features - like restoration of codes without the need to rescan.
0 -
That "iwmn" site does in fact show up in 1 Password as you can see here in Beta 19 (I think)
@sphardy: Yep, you're totally right. Thank you for letting me know! Turns out I was searching for the actual URL there. I found it by just searching for the name... /facepalm
The configuration is made via QR code in the usual way but exclusively requires the Authy app.
While it is possible to convert a QR code to a text TOTP secret with some apps, you should be able to just scan it with 1Password for iOS. Have you tried that? It's possible that it's simply not a format 1Password understands, and/or something proprietary, but it's worth a shot.
0 -
@brenty Unfortuantely I can't regenerate the code to attempt to scan it. I tried disabling and re-enabling 2FA, but all that happened was the original authy account was restored to my phone without the need to scan anything. I guess this is one of the "advantages" of Authy, but works against us trying to use an alternative app like 1Password.
0 -
Ah, gotcha. I'll see if I can sign up and give it a try. I'm curious what they're doing. Are you certain you can't export it from Authy?
0 -
@brenty Update: This was bugging me so I created a new account at iwantmyname.com and went to enable 2FA.
While I seem to remember scanning a code with the authy app, I may be wrong or perhaps the process has changed - it's many years ago that I set this up.
Certainly today it appears that the 2FA configuration is created via direct communication with the authy app - no QR code involved. That app must first be installed (on phone or computer), that a phone number is the unique identifier associating the authy account, and the website requests that phone number to send the 2FA config to via the authy service.
There appears to be no means to obtain the configuration for another app such as 1password
Maybe there are some security advantages to this method - but then I noticed that the backup method for code generation is SMS /Doh!
0 -
Ah, thanks for the update. That's interesting, and a bit of a shame. I do hope they'll allow using any TOTP compatible app in the future though.
0 -
I use "mfa" as the tag for these sites, not realizing that "2fa" was a hard-coded value. I also tag SMS-based MFA with "mfa-sms" because the engineers of those sites are bad at their jobs.
But yeah. Same issue. Lots of "noise" about MFA that I can't do anything about. If something new were added to the list that I actually could do something about, I'd probably miss it.
0 -
I know that Twitch also only allows Authy to use for 2FA. What a shame
0 -
@Ryan Parman: I personally prefer the term "MFA" (multi-factor authentication) myself because it covers more things, but as most people are distinctly not me (or you, I guess!) and "2FA" (two-factor authentication) seems to be more prevalent an ties in with twofactorauth.org, we've gone with that for the tag. While you can reduce "noise" by adding the
2FAtag to items where you already have it or can't configure it yourself and that will help, I do thank you for the feedback on this. :)0 -
Also, you can add a "2FA" tag to the item to indicate it's enabled but you're using another authenticator app.
Perfect! But I didn't see a way that was discoverable in the app. It'd be helpful if the warning banner called that out.
FYI, BackBlaze / B2 is showing the warning but only supports SMS.
0 -
@deviantintegral: I don't think it's a good idea at all to have the warning banner tell people how to disable it. :lol: But Backblaze does not support only SMS: https://www.backblaze.com/blog/two-factor-verification-via-totp/ Cheers! :) :+1:
0 -
Oh excellent, /me runs off to fix that.
The thing I see is that if you are using something else (Authy, a yubikey, etc) that the only discoverable way to suppress the warning is to turn off the setting globally, which is still useful for telling users to set up 2FA in the app of their choice.
0 -
I'm not sure that suppressing security warnings is such a great thing to do in general, but we'll continue to iterate on the new Watchtower features. Thanks for the feedback! :)
0 -
This is incredibly frustrating. Many sites only allow SMS or require proprietary apps (e.g. my bank) . There needs to be an officially supported way to remove the 2FA "warning" when it's incorrect, but honestly we should be able to turn it off for whatever reason we want. If I don't want 2FA, then I shouldn't be nagged about it.
It's 1P's place to store the information, and provide the information, but not to enforce usage that the user isn't interested in.
Yet I am still consistently warned that I need to add 2FA to my account:
0 -
There needs to be an officially supported way to remove the 2FA "warning" when it's incorrect
There is. Add a tag to those items called “2FA” and 1Password will no longer display the 2FA warning. :)
Ben
0 -
Recognizing that this feature is still being iterated on, I'd like to make two recommendations:
- The warning message text should be softened. If 1Password cannot definitively know if 2FA is enabled or not, then it would be a bit less jarring to say "This website supports 2FA (according to twofactorauth.org), but it may not be enabled."
- There should be a simple way to remove the warning (and therefore add the tag) without having to do it manually (and also without telling the user how to do it.) For example, another CTA like "Mark 2FA as manually added." or something of that ilk.
I think that this is a great feature but because I strongly disagree with the idea of 1Password housing the OTP code, making it easier to manage these warnings would be great.
0 -
+1
But I'd personally like to modify your last bullet point. Since this "ignoring" is essentially permanent until a user goes off and manually re-checks, an Ignore for n days would be nice, for some decided upon number of days. This way, the checks can re-engage automatically, and users can re-ignore when the duration has expired. I really don't like the semi-permanency/manual babysitting of the current Ignore (but its a great first step).
0 -
The warning message text should be softened. If 1Password cannot definitively know if 2FA is enabled or not, then it would be a bit less jarring to say "This website supports 2FA (according to twofactorauth.org), but it may not be enabled."
@michaeltsmith: I think that's why it's yellow instead of red, but that's a fair point. I'll bring it up with the team. :)
There should be a simple way to remove the warning (and therefore add the tag) without having to do it manually (and also without telling the user how to do it.) For example, another CTA like "Mark 2FA as manually added." or something of that ilk.
Thanks for the suggestion! We're exploring a number of different options for dealing with this.
I think that this is a great feature but because I strongly disagree with the idea of 1Password housing the OTP code, making it easier to manage these warnings would be great.
I get where you're coming from, but I don't have a more secure (or available) place to store this stuff. We're in agreement though that it would be nice to have this exposed in the UI. Thanks for the feedback! :)
ref: apple-1570
0
