The Inactive two-step login report is useful, but apparently just guesses (?) at which logins have 2fa set up. Some of the accounts with active 2fa still show up in this list.
- How does it determine this?
- How can I tell it that an account does indeed have 2fa set up?
Bitwarden uses the crowdsourced 2FA Directory database to determine which sites offer TOTP as a 2FA method. It then check each URI that is stored in your vault against the database. If a URI includes a domain found in the database, then Bitwarden checks if the corresponding login item in your vault contains a non-empty value in the “TOTP Authentication Key” field. If yes, the report indicates that two-step login is active; if no, the report flags the URI has not having active two-step login, even though the site offers the option to set up 2FA via TOTP.