Following the 2fa.directory policy to exclude forums since they are usually self-hosted, or hosted as subdomains, it would be great if the Bitwarden “Inactive 2FA Report” feature aligned with it.
For example a vault entry for “forum[.]qnap[.]com” should not return a hit since QNAP forums use an independent authentication mechanism from the main QNAP page, and indeed does not support 2FA. But “www[.]qnap[.]com” which redirects to “account[.]qnap[.]com” on login, should produce a hit on the report since the site supports 2FA.
If a subdomain (such as community.bitwarden.com-- which does have its own TOTP) has a different set of creds from its parent, it probably ought to be considered separately in the reports, but I don’t see the value in excluding “forum” subdomains entirely.
2fa.directory only provides information about base domains, because of their policy to only include domains in the top 200k websites ranked by SimilarWeb — which does not even rank subdomains.
Thus, to be clear, your feature request amounts to proposing that only vault items containing at least one URI string that starts with one of the following six formats should be included in the Inactive 2FA Report:
https://www.example.com
http://www.example.com
www.example.com
https:/example.com
http:/example.com
example.com
I think that it would in principle be (technically) possible to implement something like the above, but I think it would come with negative consequences. For example, the Inactive 2FA Report would become practically useless for users (like myself) who store only very specific URLs for login forms (to reduce the risk of leaking password data). For example, the URI stored for godaddy.com would be https://sso.godaddy.com/ (with URI matching set to Host); if your proposal were implemented, the user would not be alerted if they had not set up 2FA for their GoDaddy account. This could potentially be solved using the additional-domains field in the 2fa.directory database, but it seems that most entries do not use this field (e.g., their godaddy.com.json entry does not).
A more general (and probably more workable) solution would be to implement the ability to manually exclude vault items from future “Inactive 2FA” reports (including forum sites according to your use-case, but also accounts that use hardware keys or a 3rd-party TOTP authenticator for 2FA, or that use passkeys for authentication). Two relevant feature requests that are currently open are:
In addition, the following feature request from 2020 appears quite relevant to your proposal, but it has been closed:
Interestingly, the behavior described in that thread as undesirable seems to match the behavior that you are now requesting. This implies that something significant changed since 2020 (either on the part of Bitwarden, or on the part of 2fa.directory).
Thank you for your thorough reply @grb. I had indeed seen the * Ability to mark 2FA as done in the inactive 2FA report FR and voted for it since as you say, it could be a good alternative to disregard those report hits that for different reasons (such as the one I exposed in this FR) is not applicable.
On the other hand, I understand the logic behind relaxing the URL match condition on the report so a more “wide” match can be done against 2fa.directory
Since I cannot think of any alternative to handle this exceptions without requiring manual actions on the report hits then I think this FR could be closed.
To stop an entry from appearing in the inactive 2FA report just add some random number to the TOTP field for the entry. A single character is sufficient. I have done this for years for websites I use a security key for.
Yes, that’s an OK work-around (which I also use), but it is not ideal. It can get confusing when you see TOTP codes being generated for those items when viewing them in your vault.