Two-Factor Authentication False Positive

WorldWizard · October 2018

1Password is correctly telling me that https://desk.zoho.com/ supports 2FA. What it doesn't know is that https://desk.zoho.com/portal/macplussoftware/ does NOT support 2FA. I have a saved password entry for the latter, but not the former - can I tell 1Password that, despite it claiming 2FA is supported but not enabled, it's not actually supported here?

1Password Version: 7.2.1
Extension Version: 7.2.1
OS Version: macOS 10.14
Sync Type: 1Password Account

Lars · October 2018

@WorldWizard - you can add the tag 2FA to that record, which will suppress the "Inactive 2FA" warning in Watchtower. I'll let our development team know this is reporting a false positive to see if there's anything we can do to improve it. Thanks for reporting! :)

WorldWizard · October 2018

Thanks. That worked.

Lars · October 2018

@WorldWizard :) :+1:

gordcook · March 2019

Hi @Lars . I know this is an old ticket, but I would like to add a little more information rather than create a new post. Feel free to break it out into a new thread if that works better for you. If you do, it would make sense to put in the Windows forum because I'm on Windows 10 and using 1Password version 7.3.657.

According to https://twofactorauth.org (which appears to be the data source for this aspect of WatchTower), https://www.zoho.com/mail supports 2FA. I assume this is correct. Futhermore, I have a https://www.zoho.com/crm account for ZOHO CRM, and it also supports 2FA (but is not listed in twofactorauth.org).

However, I also have an account on https://subscriptions.zoho.com for managing my invoices and payments for a software subscription. Similar to @WorldWizard's complaint, above, this site does not support 2FA. Quite correctly, it is also not listed in twofactorauth.org. But WatchTower is incorrectly flagging it as "Inactive 2FA", regardless.

Similarly, https://www.ionos.com account supports 2FA but https://mailbusiness.ionos.com does not. The former is listed in twofactorauth.org and the latter is not. Regardless, WatchTower is showing that 2FA is supported on both.

So it appears that the algorithm for WatchTower discards everything except the last two labels in the domain name and uses that substring of the URL for the twofactorauth.org lookup. This heuristic might work in most cases, but it will naturally generate many false positives. If you could pass this feedback to the development team, that would be appreciated.

Thanks for the tip about the 2FA tag; it's a kludge, but it works.

AGAlumB · March 2019

Totally. I'm not sure what the right solution is since, as we've seen, different websites handle these things very differently. For example, I have no idea why a company that clearly has the capability to offer two-factor authentication limits it to only certain parts of the same website. But we'll continue to evaluate this. Thank you for your feedback and additional details! :)

Recent_Convert · February 2020

Sorry to bump this old thread, but I didn't know if this was the place to report false positives for 2FA suggestions.

As @gordcook above stated, one is a subdomain:

forums.bestbuy.com does not share the same login as bestbuy.com

The other two have 2FA schemes, just not the kind 1Password can store:

fidelity.com
ebay.com

I was already aware of the tag to suppress the message, just wanted to pass this on to the developers. Especially since the latter two are fairly popular.

Ben · February 2020

Thanks, @Recent_Convert. I believe it is possible to log into eBay.com using a PayPal account, which can utilize TOTP. I don't have personal experience with fidelity but I'll ask the team to look into that. :+1:

Ben

DenalB · March 2020

The other two have 2FA schemes, just not the kind 1Password can store:
ebay.com

@Ben ,
I also got the message from Watchtower that there is a 2FA for eBay.de. On eBay.de there are two possibilities for 2FA - message via SMS and via eBay App. None of them is working with 1Password.

The tag 2FA I'm already using to quickly find all of my accounts which have 2FA activated in 1Password. So for me the tag is no option to suppress the message in Watchtower. ;)

ag_ana · March 2020

@DenalB:

If the website supports 2FA, then Watchtower is correct to show you the warning even if they don't support TOTP. I am sorry that using the 2fa tag doesn't work for you however, it was what I wanted to recommend doing ;)

DenalB · March 2020

Thanks @ag_ana . It's no problem for me. Just wanted to notify you. :)

Ben · March 2020

Thanks @DenalB. :)

Ben

andrejulius · May 2020

Hey everyone! Hope you are all well! :chuffed: Particularly, I think eBay should not be in the list. 2FA from 1Password is an awesome feature based on one-time passwords. eBay merely uses the phone number to support 2FA using SMS, therefore, eBay will never be removed from the list, even if we do activate 2FA using our phones.

Just an idea...

ag_ana · May 2020

@andrejulius:

Have you already added the 2fa tag to your Ebay item? This will remove Ebay from the list ;)

andrejulius · May 2020

Hi Ana! It worked! Thank you for the tip!

ag_ana · May 2020

You are welcome @andrejulius! If you have any other questions, please feel free to reach out anytime.

Have a wonderful day :)

Two-Factor Authentication False Positive

Comments