How does 1Password determine whether or not 2FA is enabled?

lsonnx

Watchtower's "Inactive 2FA" does a decent job of flagging logins where 2FA functionality is available. "Inactive 2FA" rarely seems to recognize when these logins have 2FA enabled correctly though.

Is it possible to improve this functionality? It isn't recognizing when 2FA is enabled for the vast majority of my logins over a number of major sites so I'm assuming that this is functionality is in the early stages of development. In the interim if it's not possible to reliably assess whether 2FA is actually enabled or not can you change the description from "Inactive 2FA" to "2FA Available"?

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

danco

Basically, Watchtower in 1PW can check whether or not a site has 2FA functionality, and whether or not this is turned on within 1PW itself.

It can't tell if you have used a method outside 1PW to turn on 2FA.

The warning can be turned off for a site by giving that login the tag "2FA".

Lars

@lsonnx - @danco asked the main question I would've as well: are you using 1Password to store these TOTP/2FA secrets? Or some other method like Authy or Yubikey or whatever? 1Password can't know whether you have enabled 2FA via another means; the way it works is: 1Password will examine your Logins for sites with known 2FA mechanisms. If any are found that don't have TOTP enabled within the Login record itself, those records will be flagged in "Inactive 2FA." As @danco mentioned, if you're using another method for 2FA instead of 1Password, you can turn off this warning on a record-by-record basis, by adding the tag 2FA to each such record.

lsonnx

I was using another method for TOTP secrets. I'm looking at the related 1Pass / TOTP documentation now.

Also, is there a reason that Gmail / Google accounts are never flagged as having "Inactive 2FA"?

AGAlumB

@lsonnx: Can you give me an example? I've got Google logins that are flagged as "Two-Factor Authentication Available". What are the URLs?

lsonnx

https://google.com
https://accounts.google.com

AGAlumB

@lsonnx: Hmm. Well, I don't quite understand this, but I'm seeing the same thing with those specific URLs, but not with a number of others. For example, mail.google.com shows as "Two-Factor Authentication Available". I believe this is because https://twofactorauth.org flags specific subdomains as supporting two-factor authentication. But it does seem weird to me that it would be so finicky about the full URL. There may be some other angle I'm not thinking of given the variety of Google's services, but we'll look into it further. Thank you for bringing this up!

ref: apple-1806

lsonnx

Duplicated. Just updated to https://mail.google.com .

AGAlumB

Thanks for confirming. We'll see what the best solution will be. :)

JadC

@lsonnx Glad the updated URL properly flagged the 2FA as inactive. We are looking to improve this functionality in the future, but for now, this occurs because we are not using a public suffix list in Watchtower to tell us that gmail.com is the same as mail.google.com, for example. We are looking to add a check of the public suffix list in the future, but for now we are matching exact URLs. Thanks for bringing this up again :smile:.