2FA exception - Xfinity

jadchaarjadchaar
edited February 14 in Mac

Hi guys,

I noticed a banner on my Xfinity login saying that 2FA is available for it, but it is only available with the proprietary Xfinity mobile application or via SMS. Xfinity does not seem to support standard TOTP (for use in 1P) so the banner should probably be removed for anything with the xfinity.com domain.

Source: https://www.xfinity.com/support/articles/enroll-2-step-verification


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • LarsLars Junior Member

    Team Member
    edited May 27

    Hey @jadchaar! Long time, no see. :) Thanks for the heads-up. I agree, if they're restricting things to a proprietary app, it shouldn't be in our list. I'll notify Roo & crew. 👍

    ref: web/watchtower.1password.com#2

  • +1 for this request.

  • LarsLars Junior Member

    Team Member

    :) :+1:

  • Don't mean to re-open this, but the same situation just popped up for eBay. eBay uses its own app for authentication, not a one-time code. See here: LINK. Can you note an exception for this?

  • BenBen AWS Team

    Team Member
    edited May 27

    Thanks @crispybishop. I'll see what I can do to make that happen. :+1:

    Ben

    ref: web/watchtower.1password.com#8

  • jimthingjimthing
    edited June 7

    Yes, Ebay have their own in-app method. Am I right that it's literally the only method they offer? (If so that's a pain. Why can't they just let us use our own TOTP so we can store them in one place!?).

    I notice the "Two-Factor Authentication Available" banner has two buttons: "Don't Save In 1Password" & "Scan QR Code".

    The question then is, what is this trying to tell users, exactly? Does this mean:

    a. Expect a TOTP/QR Code method for the website in question?
    or
    b. We dunno if a TOTP/QR Code option is available or not for the website in question, but you can if it is?

    I'm guessing it's the latter (b). So it's not an indicator that TOTP has definitely been enabled for that website, but rather it's just a convenience function in case it has.

    I happened to tap the "Don't Save In 1Password" button and the banner disappeared and a 2FA tag appeared on it. So AFAICT, this therefore isn't a "special exception" for individual sites, but rather it's just made available on every 2FA warning banner.

    But the issue then is that under the 2FA tag, we as users will have two different ideas being done there: websites that have their own non-TOTP method (like Ebay's in-app one) and websites that wrongly triggered the "Two-Factor Authentication Available" banner. How is this best handled?

    Additionally, does that still mean users will have to still periodically manually check sites to see if they happen to offer the (arguably better? or perhaps just more convenient, being centrally located inside 1P?) TOTP method as a new option, sometime in future?

  • I really hate how these companies do their own stuff here. Way to make it harder on us

  • ag_anaag_ana

    Team Member

    @jimthing:

    I notice the "Two-Factor Authentication Available" banner has two buttons: "Don't Save In 1Password" & "Scan QR Code".

    >

    The question then is, what is this trying to tell users, exactly?

    This is an option that we offer so that a user is not prompted to enable 2FA for an account where 2FA is already enabled. It doesn't mean that we know (or don't know) if a website supports TOTP or not, it's mostly to leave the choice to the user on what authenticator app to use. I suppose some users might like to use 1Password as the authenticator app in certain cases, but maybe prefer to use a separate authenticator app for certain logins.

    But the issue then is that under the 2FA tag, we as users will have two different ideas being done there: websites that have their own non-TOTP method (like Ebay's in-app one) and websites that wrongly triggered the "Two-Factor Authentication Available" banner. How is this best handled?

    Do you have an example of a website that wrongly triggers the "Two-Factor Authentication Available" banner?

    Additionally, does that still mean users will have to still periodically manually check sites to see if they happen to offer the (arguably better? or perhaps just more convenient, being centrally located inside 1P?) TOTP method as a new option, sometime in future?

    I believe so, yes. 1Password checks a known list of websites that offer 2FA (we user TwoFactorAuth.org for that), but it only checks if the functionality exists, not all the methods offered by a service. Although it would be nice if there was a way to do this automatically!

  • ag_anaag_ana

    Team Member

    @prime: It would be certainly convenient to have everything in one place :+1:

  • jimthingjimthing
    edited June 8

    @ag_ana
    Thanks for the answers. Mostly it makes sense now. Except:

    Do you have an example of a website that wrongly triggers the "Two-Factor Authentication Available" banner?

    Yes, for example, I have a 2FA warning banner for Zendesk. The trouble is that my login is as a user, not as an admin account, hence 2FA doesn't exist for my login type.

    Hence my point:

    But the issue then is that under the 2FA tag, we as users will have two different ideas being done there: websites that have their own non-TOTP method (like Ebay's in-app one) and websites that wrongly triggered the "Two-Factor Authentication Available" banner. How is this best handled?

  • ag_anaag_ana

    Team Member

    @jimthing: Thank you for the example! Even though it's not the cleanest approach, I would personally add the "2fa" tag to your ZenDesk item too, so at least I would not see the banner if it's not applicable to you. I would also add a line to the Notes section of the item explaining this to myself, for future reference.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file