Jump to content
OLLI_S

[Forwarded] Suggest TOTP

Recommended Posts

I talked with a colleague about password managers and he suggested 1Password.
On the website of 1Password I saw on the "Tour" site (https://1password.com/tour/) some features of 1Password.

One feature is very interesting and increasing the security:
They show which sites in your vault support TOTP but the user has not set up TOTP.

Here is a screenshot from the 1Password site:

watchtower.5b23f657d18e0108d000f4a30e98c

Suggestion

In Enpass add the entry "Missing TOTP" in the section "Password Audit".
Here you should show all password entries, where TOTP is possible but not set up by the user.

Here is a list of services that support TOTP: https://twofactorauth.org/

We had a Doxxing scandal in Germany where a young guy published many private information stolen from accounts of German politicians and German celebrities.
This guy was able to steal the data because the accounts used very weak passwords (like 123456) and were not secured with TOTP. 

So this feature increases the security a lot!

Edited by OLLI_S
  • Like 4

Share this post


Link to post
Share on other sites

At the Two Factor Auth List (https://twofactorauth.org/) there is a link in the first column that openes an official documentation of the target service.
Means: at the entry "Trello" the link openes the documentation https://help.trello.com/article/993-enabling-two-factor-authentication-for-your-trello-account

So you could use the website to look up the services and open the link to the official documentation.

There is also some source code available at GitHub: https://github.com/2factorauth/twofactorauth

Share this post


Link to post
Share on other sites

At the Two Factor Auth List (https://twofactorauth.org/) they have some criteria that describe what  websites should be added:
https://github.com/2factorauth/twofactorauth/blob/master/CONTRIBUTING.md#site-criteria

So they do not add all sites.

I suggest that you add a new forum section where users can report website that support 2FA and where Enpass does not yet suggest to use 2FA.

Edited by OLLI_S

Share this post


Link to post
Share on other sites

At first I thought it might be a nice feature, but on the other hand you have to consider that by updating those lists the Enpass app will establish a connection to the mentioned website (even though I have nothing against them) or even calling home for manual updates. 

I don’t know if this feature is worth it, playing around with users confidence. 

 

On the other hand adding this as an option that you have to proactively enable in the settings (like e.g. notifications about updates) could work, I think. 

Share this post


Link to post
Share on other sites

Hello,

by the way: the Two Factor Auth List (https://twofactorauth.org) have also a JSON file that contains all data:
https://twofactorauth.org/data.json

So this file can easily be used to check what websites of the user support 2FA by Authenticator Code.
Her the following data is relevant:

"software":true

So it should be easy to implement.

Best regards

OLLI

Share this post


Link to post
Share on other sites

Hello,

just a side note: 1Password also uses the Two Factor Auth List (https://twofactorauth.org/) as you can see in the screen shot in the first posting.
Using this list means that you don't have to update a list of pages that use 2FA, you just use an existing list.
You just have to write that the data is from an external source (like 1Password did it).

1Password also displays a link to the instructions (how to set up 2FA).
I think they open the link to the instructions that is provided by the  Two Factor Auth List too.

Best regards

OLLI

Edited by OLLI_S

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×