✅ Exact URL needed in Inactive 2FA Report

I recognized that the Inactive 2FA Report requires an exact URL, without subdomains:

• https://login.xing.com/ is not reported
• https://www.xing.com/ is reported

When I log into Xing for the first time and Bitwarden asks me if the password should be stored, then Bitwarden stores https://login.xing.com/ (and the Inactive 2FA Report tells me that no sites are found).

The average user does not know that the URL should be changed to https://www.xing.com/ just for the Inactive 2FA Report.

These issue surely exists on other pages, like Amazon, where I have the URLs:

• https://www.amazon.de/
• https://smile.amazon.de/
• https://www.amazon.de/ap/signin
• https://amazon.de/ap/signin
• https://smile.amazon.de/ap/signin

But on Two Factor Auth (https://twofactorauth.org/) the URL for Amazon is https://www.amazon.com/
So all country domains (like .de, .es, etc) might cause these problems.

For Amazon I requested at the Two Factror Auth List that they add all international domains.
So the “Inactive 2FA report” will report Amazon no matter what country domain is used.

@tgreer In the GitHub posting I received the following reply:

Just a quick note: Even if we implement something like a domain array for entries in our lists, it still won’t show up on Bitwarden as long as they keep using API v1. That’s a depricated version which won’t get any new features.

So you should (have to) use the new API version of the Two Factor Auth List, because

• the old version is deprecated
• the old version will not get any new features

Please update to the new API.

Noted and captured, thanks @OLLI_S!

Feature name

Inactive 2FA report should handle subdomains.

Feature function

• What will this feature do differently?

If 2fa.directory has a recommendation for site.com, but my URI is foo.site.com, it does not match.

I imported logins from my browser to the vault and ran the inactive 2FA report.

My docker login had no 2FA entry, but this was missed in the inactive 2FA report.

The URI I imported was https://hub.docker.com.

Changing this to https://docker.com triggered a recommendation in the report.

• What benefits will this feature bring?

I’m certain that many premium users are missing recommendations.

Also, I can’t find documentation warning of this behavior.

Related topics + references

• Are there any related topics that may help explain the need and function of this feature?

• Are there any references to this feature or function on other platforms that may be helpful?

Unsure.

Inactive 2FA report should utilize local and global equivalent domains

Feature function

• What will this feature do differently?

Right now hosts in the URI are passed to inactive 2FA reports.

I have a login for sonyentertainmentnetwork.com that lacks TOTP. This does not match anything in 2fa.directory.

Bitwarden already has a global domain equivalency pairing sonyentertainmentnetwork.com and playstation.com

The URI host playstation.com has a 2fa.directory entry. It would generate a recommendation.

The platform should leverage the equivalent domains.

• What benefits will this feature bring?

I’m certain other users are missing recommendations.

If the host given to 2fa.directory doesn’t match, and contains multiple subdomains, the platform could:

• Remove one label and retry

If a.b.c.foo.com does not have a match, search for b.c.d.foo.com, c.d.foo.com, etc. until you reach the second level domain.

• Just check the second level domain

If a.b.c.foo.com does not match, just check the second level domain foo.com.

Either would overcome the mismatch problem and alert more users of inactive 2fa logins.

Hi @tendervittles and welcome to the community.

I really like the idea of using the equivalent domains and this will result in better reports.

The 2fa.directory does support the field additional-domains. This field can be used to add the equivalent domains on the 2fa.directory directly, which everyone who uses that listing would benefit from. We currently also use that field in the reports as long as it is filled.

Would that be feasible to add it the equivalent domains there instead?

I haven’t looked deep into their contribution guidelines, but if you’d like to start adding them, I’d suggest keeping the PR’s small, as that makes it easier to review and is more likely to get merged.

Also thank you for your other 2fa-related PR I’ll add that to our internal board for review.

Kind regards,
Daniel

@djsmith85

Thanks for the suggestion.

I wasn’t aware of the additional-domains field.

I’ll take a look at that this week.

Closing this, as this was fixed/included with Improve Inactive 2FA report