2FA exception - Xfinity

jadchaar
jadchaar
Community Member
edited February 2019 in Mac

Hi guys,

I noticed a banner on my Xfinity login saying that 2FA is available for it, but it is only available with the proprietary Xfinity mobile application or via SMS. Xfinity does not seem to support standard TOTP (for use in 1P) so the banner should probably be removed for anything with the xfinity.com domain.

Source: https://www.xfinity.com/support/articles/enroll-2-step-verification


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Lars
    Lars
    1Password Alumni
    edited May 2019

    Hey @jadchaar! Long time, no see. :) Thanks for the heads-up. I agree, if they're restricting things to a proprietary app, it shouldn't be in our list. I'll notify Roo & crew. 👍

    ref: web/watchtower.1password.com#2

  • crispybishop
    crispybishop
    Community Member

    +1 for this request.

  • Lars
    Lars
    1Password Alumni

    :) :+1:

  • crispybishop
    crispybishop
    Community Member

    Don't mean to re-open this, but the same situation just popped up for eBay. eBay uses its own app for authentication, not a one-time code. See here: LINK. Can you note an exception for this?

  • Ben
    Ben
    edited May 2019

    Thanks @crispybishop. I'll see what I can do to make that happen. :+1:

    Ben

    ref: web/watchtower.1password.com#8

  • jimthing
    jimthing
    Community Member
    edited June 2019

    Yes, Ebay have their own in-app method. Am I right that it's literally the only method they offer? (If so that's a pain. Why can't they just let us use our own TOTP so we can store them in one place!?).

    I notice the "Two-Factor Authentication Available" banner has two buttons: "Don't Save In 1Password" & "Scan QR Code".

    The question then is, what is this trying to tell users, exactly? Does this mean:

    a. Expect a TOTP/QR Code method for the website in question?
    or
    b. We dunno if a TOTP/QR Code option is available or not for the website in question, but you can if it is?

    I'm guessing it's the latter (b). So it's not an indicator that TOTP has definitely been enabled for that website, but rather it's just a convenience function in case it has.

    I happened to tap the "Don't Save In 1Password" button and the banner disappeared and a 2FA tag appeared on it. So AFAICT, this therefore isn't a "special exception" for individual sites, but rather it's just made available on every 2FA warning banner.

    But the issue then is that under the 2FA tag, we as users will have two different ideas being done there: websites that have their own non-TOTP method (like Ebay's in-app one) and websites that wrongly triggered the "Two-Factor Authentication Available" banner. How is this best handled?

    Additionally, does that still mean users will have to still periodically manually check sites to see if they happen to offer the (arguably better? or perhaps just more convenient, being centrally located inside 1P?) TOTP method as a new option, sometime in future?

  • prime
    prime
    Community Member

    I really hate how these companies do their own stuff here. Way to make it harder on us

  • ag_ana
    ag_ana
    1Password Alumni

    @jimthing:

    I notice the "Two-Factor Authentication Available" banner has two buttons: "Don't Save In 1Password" & "Scan QR Code".

    >

    The question then is, what is this trying to tell users, exactly?

    This is an option that we offer so that a user is not prompted to enable 2FA for an account where 2FA is already enabled. It doesn't mean that we know (or don't know) if a website supports TOTP or not, it's mostly to leave the choice to the user on what authenticator app to use. I suppose some users might like to use 1Password as the authenticator app in certain cases, but maybe prefer to use a separate authenticator app for certain logins.

    But the issue then is that under the 2FA tag, we as users will have two different ideas being done there: websites that have their own non-TOTP method (like Ebay's in-app one) and websites that wrongly triggered the "Two-Factor Authentication Available" banner. How is this best handled?

    Do you have an example of a website that wrongly triggers the "Two-Factor Authentication Available" banner?

    Additionally, does that still mean users will have to still periodically manually check sites to see if they happen to offer the (arguably better? or perhaps just more convenient, being centrally located inside 1P?) TOTP method as a new option, sometime in future?

    I believe so, yes. 1Password checks a known list of websites that offer 2FA (we user TwoFactorAuth.org for that), but it only checks if the functionality exists, not all the methods offered by a service. Although it would be nice if there was a way to do this automatically!

  • ag_ana
    ag_ana
    1Password Alumni

    @prime: It would be certainly convenient to have everything in one place :+1:

  • jimthing
    jimthing
    Community Member
    edited June 2019

    @ag_ana
    Thanks for the answers. Mostly it makes sense now. Except:

    Do you have an example of a website that wrongly triggers the "Two-Factor Authentication Available" banner?

    Yes, for example, I have a 2FA warning banner for Zendesk. The trouble is that my login is as a user, not as an admin account, hence 2FA doesn't exist for my login type.

    Hence my point:

    But the issue then is that under the 2FA tag, we as users will have two different ideas being done there: websites that have their own non-TOTP method (like Ebay's in-app one) and websites that wrongly triggered the "Two-Factor Authentication Available" banner. How is this best handled?

  • ag_ana
    ag_ana
    1Password Alumni

    @jimthing: Thank you for the example! Even though it's not the cleanest approach, I would personally add the "2fa" tag to your ZenDesk item too, so at least I would not see the banner if it's not applicable to you. I would also add a line to the Notes section of the item explaining this to myself, for future reference.

This discussion has been closed.