Inactive 2FA Report Should Show Only One Result Per Login Item

Currently, when the vault contains login items eligible for TOTP that do not have a TOTP seed stored, the Inactive Two-Step Login Report can show duplicate results, as it lists a separate result for each URI stored in the login item.

This behavior is not desired. Users store multiple URIs in the same login item when there are multiple sites that are accessed using the same set of credentials (similar to defining a set of equivalent domains, but with more fine-grained control over URI match detection rules). It is therefore reasonable to assume that each site will accept the same TOTP, if one has been stored in the login item. Conversely, if no TOTP seed is stored in the item, it is sufficient to alert to alert the user once, since adding a single TOTP to the login item can reasonably be assumed to provide 2FA for every stored URI in that item (in fact, it is not even possible to store distinct TOTP seeds for each URI).

Therefore, I propose that the Inactive Two-Step Login Report should search for items that have no stored TOTP key, if 2FA is available for one or more of the stored URIs. Each such item should be displayed only once in the list of results, no matter how many URIs are stored in the item.

Thanks @grb I’ve shared this one with the team :+1:

Hi @grb,

this has also been reported here: #5789 and a linked fix, that is expected to be included in a future release.

I’m closing this, as I’d consider it a bug, that will get addressed once the PR get’s merged.