How to prevent false "Inactive 2FA" messages in Watchtower 2.0?

XIII
XIII
Community Member
edited May 2018 in Families

Watchtower 2.0 is really nice!

However, I have at least 1 false "Inactive 2FA" message for an account of a service that uses SMS as the second factor. It looks like you only check whether an OTP is configured?

How can I prevent false "Inactive 2FA" messages for services that use SMS (or YubiKey, etc.)?


Sync Type: 1password.com

«1

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @XIII: Indeed, we're very intentionally ignoring SMS "2FA" because it's not only incredibly insecure, but also that 1Password can't help you by generating codes for these sites. Between those, I don't expect we'll be changing this. But we'll continue to evaluate things, especially with raged to Yubikey. I'm just not sure how 1Password could be involved with that.

  • XIII
    XIII
    Community Member
    edited May 2018

    Then maybe don’t list items in Watchtower if SMS is the only second factor offered?

    False positives might make people ignore results (like many people close pop ups without even reading them).

    Watchtower now lists them as actionable, while I actually already did all I could do, so I “must” ignore it myself.

    What’s worse: every time I run Watchtower I have to think about this again; it’s wasting mental energy.

  • Hi @XIII,

    Which site are we showing that only supports SMS? We'll get it removed from the list.

    Also, you can add a "2FA" tag to the item to indicate it's enabled but you're using another authenticator app.

  • MrC
    MrC
    Volunteer Moderator
    edited May 2018

    Here's my list of sites I had to 2FA tag for exclusion:

    • Pinterest
    • Sykpe (since it uses the Microsoft Live login, and I have 2FA setup there, my Skype login entry won't have a TOTP).
    • USAA

    I also have some other project-centric Login entries for Sourceforge (where I do have 2FA enabled), but sine they are separate URLs, with separate username/passwords for other areas in Sourceforge (e.g. mailing lists), they show up as missing. There's the main website login for Sourceforge, and then a project on Sourceforge can have mailing lists that use the Mailman mailing list component which has login/passwords, but has no 2FA.

  • XIII
    XIII
    Community Member
    edited May 2018

    Ha, I was actually already using the tag “2fa”, but forgot to add it for this particular site...

    I’d rather PM you the site, as I don’t want to post it on a public forum.

    How can I do that?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @XIII: Ah, gotcha. I'll shoot you a private message here in a minute. :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @MrC: Thank you! I'm not sure what the best solution is for that last one, but it's good to hear edge cases like this. :)

    ref: b5-4263

  • XIII
    XIII
    Community Member

    I'll shoot you a private message here in a minute. :)

    Thanks. Reply sent.

  • AGAlumB
    AGAlumB
    1Password Alumni

    :) :+1:

  • sphardy
    sphardy
    Community Member

    Hello - an addition to the list of "problematic sites":

    There is a domain registration site called Iwantmyname.com. It does offer 2FA and is recognised by 1Password, however it uses the authy service only to provide this function.

    I find no way to set that site up to use regular TOTP and so it becomes falsely reported by watchtower as not setup for 2FA.

    (Came here to find the method to address this - have seen the "2FA" tag option mentioned and that addresses the issue for me for the moment)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @sphardy: Indeed, I'm not seeing that they're registered on https://twofactorauth.org so they won't show up in 1Password. I'm not sure I understand how they could exclusively use Authy though. As far as I know, Authy just uses the TOTP standard, same as 1Password. But then there could just be something I don't know. How do you set it up? QR code? Text strong?

  • sphardy
    sphardy
    Community Member
    edited May 2018

    @brenty: That "iwmn" site does in fact show up in 1 Password as you can see here in Beta 19 (I think)

    You can see below from the screen grab of the authy app on my phone how that site is listed specifically as an "Authy Account". Compare that to my Wordpress account listed as an "Authenticator Account" which uses regular TOTP and which I have successfully stored in 1Password also

    I used authy prior to 1Password supporting TOTP and now as a TOTP backup to 1Password. This is one of the sites I setup before 1Password had TOTP support. The configuration is made via QR code in the usual way but exclusively requires the Authy app. I have since tried disabling and re-enabling 2FA on the site to to see if this changes anything, but found that my previous configuration was simply restored without me needing to scan any code or enter any info. So I found no way to get this 2FA into 1Password

    It appears that these authy accounts offer automatic backups of the configuration and other custom features - like restoration of codes without the need to rescan.

  • AGAlumB
    AGAlumB
    1Password Alumni

    That "iwmn" site does in fact show up in 1 Password as you can see here in Beta 19 (I think)

    @sphardy: Yep, you're totally right. Thank you for letting me know! Turns out I was searching for the actual URL there. I found it by just searching for the name... /facepalm

    The configuration is made via QR code in the usual way but exclusively requires the Authy app.

    While it is possible to convert a QR code to a text TOTP secret with some apps, you should be able to just scan it with 1Password for iOS. Have you tried that? It's possible that it's simply not a format 1Password understands, and/or something proprietary, but it's worth a shot.

  • sphardy
    sphardy
    Community Member

    @brenty Unfortuantely I can't regenerate the code to attempt to scan it. I tried disabling and re-enabling 2FA, but all that happened was the original authy account was restored to my phone without the need to scan anything. I guess this is one of the "advantages" of Authy, but works against us trying to use an alternative app like 1Password.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Ah, gotcha. I'll see if I can sign up and give it a try. I'm curious what they're doing. Are you certain you can't export it from Authy?

  • sphardy
    sphardy
    Community Member
    edited May 2018

    @brenty Update: This was bugging me so I created a new account at iwantmyname.com and went to enable 2FA.

    While I seem to remember scanning a code with the authy app, I may be wrong or perhaps the process has changed - it's many years ago that I set this up.

    Certainly today it appears that the 2FA configuration is created via direct communication with the authy app - no QR code involved. That app must first be installed (on phone or computer), that a phone number is the unique identifier associating the authy account, and the website requests that phone number to send the 2FA config to via the authy service.

    There appears to be no means to obtain the configuration for another app such as 1password

    Maybe there are some security advantages to this method - but then I noticed that the backup method for code generation is SMS /Doh!

  • AGAlumB
    AGAlumB
    1Password Alumni

    Ah, thanks for the update. That's interesting, and a bit of a shame. I do hope they'll allow using any TOTP compatible app in the future though.

  • Ryan Parman
    Ryan Parman
    Community Member

    I use "mfa" as the tag for these sites, not realizing that "2fa" was a hard-coded value. I also tag SMS-based MFA with "mfa-sms" because the engineers of those sites are bad at their jobs.

    But yeah. Same issue. Lots of "noise" about MFA that I can't do anything about. If something new were added to the list that I actually could do something about, I'd probably miss it.

  • Manaburner
    Manaburner
    Community Member

    I know that Twitch also only allows Authy to use for 2FA. What a shame

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Ryan Parman: I personally prefer the term "MFA" (multi-factor authentication) myself because it covers more things, but as most people are distinctly not me (or you, I guess!) and "2FA" (two-factor authentication) seems to be more prevalent an ties in with twofactorauth.org, we've gone with that for the tag. While you can reduce "noise" by adding the 2FA tag to items where you already have it or can't configure it yourself and that will help, I do thank you for the feedback on this. :)

  • deviantintegral
    deviantintegral
    Community Member

    Also, you can add a "2FA" tag to the item to indicate it's enabled but you're using another authenticator app.

    Perfect! But I didn't see a way that was discoverable in the app. It'd be helpful if the warning banner called that out.

    FYI, BackBlaze / B2 is showing the warning but only supports SMS.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @deviantintegral: I don't think it's a good idea at all to have the warning banner tell people how to disable it. :lol: But Backblaze does not support only SMS: https://www.backblaze.com/blog/two-factor-verification-via-totp/ Cheers! :) :+1:

  • deviantintegral
    deviantintegral
    Community Member

    Oh excellent, /me runs off to fix that.

    The thing I see is that if you are using something else (Authy, a yubikey, etc) that the only discoverable way to suppress the warning is to turn off the setting globally, which is still useful for telling users to set up 2FA in the app of their choice.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I'm not sure that suppressing security warnings is such a great thing to do in general, but we'll continue to iterate on the new Watchtower features. Thanks for the feedback! :)

  • signe
    signe
    Community Member

    This is incredibly frustrating. Many sites only allow SMS or require proprietary apps (e.g. my bank) . There needs to be an officially supported way to remove the 2FA "warning" when it's incorrect, but honestly we should be able to turn it off for whatever reason we want. If I don't want 2FA, then I shouldn't be nagged about it.

    It's 1P's place to store the information, and provide the information, but not to enforce usage that the user isn't interested in.

    Yet I am still consistently warned that I need to add 2FA to my account:

  • There needs to be an officially supported way to remove the 2FA "warning" when it's incorrect

    There is. Add a tag to those items called “2FA” and 1Password will no longer display the 2FA warning. :)

    Ben

  • michaeltsmith
    michaeltsmith
    Community Member

    Recognizing that this feature is still being iterated on, I'd like to make two recommendations:

    • The warning message text should be softened. If 1Password cannot definitively know if 2FA is enabled or not, then it would be a bit less jarring to say "This website supports 2FA (according to twofactorauth.org), but it may not be enabled."
    • There should be a simple way to remove the warning (and therefore add the tag) without having to do it manually (and also without telling the user how to do it.) For example, another CTA like "Mark 2FA as manually added." or something of that ilk.

    I think that this is a great feature but because I strongly disagree with the idea of 1Password housing the OTP code, making it easier to manage these warnings would be great.

  • MrC
    MrC
    Volunteer Moderator

    +1

    But I'd personally like to modify your last bullet point. Since this "ignoring" is essentially permanent until a user goes off and manually re-checks, an Ignore for n days would be nice, for some decided upon number of days. This way, the checks can re-engage automatically, and users can re-ignore when the duration has expired. I really don't like the semi-permanency/manual babysitting of the current Ignore (but its a great first step).

  • AGAlumB
    AGAlumB
    1Password Alumni

    @MrC: Thanks for chiming in! Personally, that would annoy me, but I can see how that could be useful. After all, arguably, annoyance is the point of warnings like this. It's a delicate balancing act. :lol:

  • AGAlumB
    AGAlumB
    1Password Alumni

    The warning message text should be softened. If 1Password cannot definitively know if 2FA is enabled or not, then it would be a bit less jarring to say "This website supports 2FA (according to twofactorauth.org), but it may not be enabled."

    @michaeltsmith: I think that's why it's yellow instead of red, but that's a fair point. I'll bring it up with the team. :)

    There should be a simple way to remove the warning (and therefore add the tag) without having to do it manually (and also without telling the user how to do it.) For example, another CTA like "Mark 2FA as manually added." or something of that ilk.

    Thanks for the suggestion! We're exploring a number of different options for dealing with this.

    I think that this is a great feature but because I strongly disagree with the idea of 1Password housing the OTP code, making it easier to manage these warnings would be great.

    I get where you're coming from, but I don't have a more secure (or available) place to store this stuff. We're in agreement though that it would be nice to have this exposed in the UI. Thanks for the feedback! :)

    ref: apple-1570

This discussion has been closed.