Two-Factor Authentication False Positive

WorldWizard
WorldWizard
Community Member

1Password is correctly telling me that https://desk.zoho.com/ supports 2FA. What it doesn't know is that https://desk.zoho.com/portal/macplussoftware/ does NOT support 2FA. I have a saved password entry for the latter, but not the former - can I tell 1Password that, despite it claiming 2FA is supported but not enabled, it's not actually supported here?


1Password Version: 7.2.1
Extension Version: 7.2.1
OS Version: macOS 10.14
Sync Type: 1Password Account

Comments

  • Lars
    Lars
    1Password Alumni

    @WorldWizard - you can add the tag 2FA to that record, which will suppress the "Inactive 2FA" warning in Watchtower. I'll let our development team know this is reporting a false positive to see if there's anything we can do to improve it. Thanks for reporting! :)

  • WorldWizard
    WorldWizard
    Community Member

    Thanks. That worked.

  • Lars
    Lars
    1Password Alumni

    @WorldWizard :) :+1:

  • gordcook
    gordcook
    Community Member

    Hi @Lars . I know this is an old ticket, but I would like to add a little more information rather than create a new post. Feel free to break it out into a new thread if that works better for you. If you do, it would make sense to put in the Windows forum because I'm on Windows 10 and using 1Password version 7.3.657.

    According to https://twofactorauth.org (which appears to be the data source for this aspect of WatchTower), https://www.zoho.com/mail supports 2FA. I assume this is correct. Futhermore, I have a https://www.zoho.com/crm account for ZOHO CRM, and it also supports 2FA (but is not listed in twofactorauth.org).

    However, I also have an account on https://subscriptions.zoho.com for managing my invoices and payments for a software subscription. Similar to @WorldWizard's complaint, above, this site does not support 2FA. Quite correctly, it is also not listed in twofactorauth.org. But WatchTower is incorrectly flagging it as "Inactive 2FA", regardless.

    Similarly, https://www.ionos.com account supports 2FA but https://mailbusiness.ionos.com does not. The former is listed in twofactorauth.org and the latter is not. Regardless, WatchTower is showing that 2FA is supported on both.

    So it appears that the algorithm for WatchTower discards everything except the last two labels in the domain name and uses that substring of the URL for the twofactorauth.org lookup. This heuristic might work in most cases, but it will naturally generate many false positives. If you could pass this feedback to the development team, that would be appreciated.

    Thanks for the tip about the 2FA tag; it's a kludge, but it works.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Totally. I'm not sure what the right solution is since, as we've seen, different websites handle these things very differently. For example, I have no idea why a company that clearly has the capability to offer two-factor authentication limits it to only certain parts of the same website. But we'll continue to evaluate this. Thank you for your feedback and additional details! :)

  • Recent_Convert
    Recent_Convert
    Community Member

    Sorry to bump this old thread, but I didn't know if this was the place to report false positives for 2FA suggestions.

    As @gordcook above stated, one is a subdomain:

    forums.bestbuy.com does not share the same login as bestbuy.com

    The other two have 2FA schemes, just not the kind 1Password can store:

    fidelity.com
    ebay.com

    I was already aware of the tag to suppress the message, just wanted to pass this on to the developers. Especially since the latter two are fairly popular.

  • Thanks, @Recent_Convert. I believe it is possible to log into eBay.com using a PayPal account, which can utilize TOTP. I don't have personal experience with fidelity but I'll ask the team to look into that. :+1:

    Ben

  • DenalB
    DenalB
    Community Member

    The other two have 2FA schemes, just not the kind 1Password can store:
    ebay.com

    @Ben ,
    I also got the message from Watchtower that there is a 2FA for eBay.de. On eBay.de there are two possibilities for 2FA - message via SMS and via eBay App. None of them is working with 1Password.

    The tag 2FA I'm already using to quickly find all of my accounts which have 2FA activated in 1Password. So for me the tag is no option to suppress the message in Watchtower. ;)

  • ag_ana
    ag_ana
    1Password Alumni

    @DenalB:

    If the website supports 2FA, then Watchtower is correct to show you the warning even if they don't support TOTP. I am sorry that using the 2fa tag doesn't work for you however, it was what I wanted to recommend doing ;)

  • DenalB
    DenalB
    Community Member

    Thanks @ag_ana . It's no problem for me. Just wanted to notify you. :)

  • Thanks @DenalB. :)

    Ben

  • andrejulius
    andrejulius
    Community Member

    Hey everyone! Hope you are all well! :chuffed: Particularly, I think eBay should not be in the list. 2FA from 1Password is an awesome feature based on one-time passwords. eBay merely uses the phone number to support 2FA using SMS, therefore, eBay will never be removed from the list, even if we do activate 2FA using our phones.

    Just an idea...

  • ag_ana
    ag_ana
    1Password Alumni

    @andrejulius:

    Have you already added the 2fa tag to your Ebay item? This will remove Ebay from the list ;)

  • andrejulius
    andrejulius
    Community Member

    Hi Ana! It worked! Thank you for the tip!

  • ag_ana
    ag_ana
    1Password Alumni

    You are welcome @andrejulius! If you have any other questions, please feel free to reach out anytime.

    Have a wonderful day :)

This discussion has been closed.