"Inactive Two-Step Login" Report: include entries with registrable-domain fallback and no-documentation matches

[huchimama123]

Select Topic Area

✅ Code Contribution Proposal

Code Contribution Proposal

"Inactive Two-Step Login" Report: include entries with registrable-domain fallback and no-documentation matches, plus user warnings

Background

When running the “Inactive two-step login” report in my Web Vault, I noticed some missing items, which fall into two categories:

1. Items whose URIs did not match any of the services listed in 2fa.directory.
   For example:

   • A Google login with https://www.google.com as its URI
   • A Yahoo login with https://www.yahoo.com as its URI
     These failed to match because 2fa.directory only lists specific subdomains, such as mail and drive for Google, and mail for Yahoo.

2. Items without a documentation link, such as booking.com and nextdns.io.

Proposal

I propose that these cases be included in the report and marked appropriately.
Google and Yahoo are strong examples, as it is unlikely that users will save the specific subdomains listed in 2fa.directory as their login URIs.
It is preferable to be more inclusive in the report, even if it requires users to review some results manually or to research how to enable TOTP authentication for certain services.

Proposal Details

1. Registrable-domain fallback for broader matching:

   • In addition to the current map of 2fa.directory entries, maintain a second map keyed by the domain names of all entries.
   • If a login does not match via the current process, check if any of its URIs’ domain names appear in this second map. If so, include it in the report and mark it with a badge (e.g., “Needs review”) indicating it is a non-exact match. The badge should include a tooltip for clarity.
   • If the report includes such non-exact matches, display a note above the table to inform users.

2. Include items without documentation:

   • Show these in the report with a visually distinct, non-clickable badge labeled “No documentation” in place of the usual “Instructions” badge.

Reasoning

Even though this approach may raise occasional false alarms by surfacing possible matches that are not exact, it ensures that users are made aware of all accounts that could potentially lack two-step login protection.

Screenshots (suggested UI)

Before

Report only includes exact matches with documentation.

After

Report now includes non-exact matches (with warning badge and tooltip) and entries without documentation (with non-clickable badge). An explanatory note is also shown.

• A line indicating results that need review is shown in the callout when non-exact matches are present.
• Badges for items with no instructions link (non-clickable) are shown for entries like Booking.com and NextDNS.
• Badges for non-exact matches (with tooltip message) are shown for entries like Google and Yahoo.

Finally

I welcome any feedback or suggestions on this proposal, and I would be happy to implement it!

[github-actions[bot]]

✨ Thank you for your code contribution proposal! While the Bitwarden team reviews your submission, we encourage you to check out our contribution guidelines.

Please ensure that your code contribution includes a detailed description of what you would like to contribute, along with any relevant screenshots and links to existing feature requests. This information helps us gather feedback from the community and Bitwarden team members before you start writing code.

To keep discussions focused, posts that do not include a proposal for a code contribution will be removed.

• 💡 For feature requests and general discussion, please visit the Bitwarden Community Forums.
• ℹ️ For questions and support, visit the Bitwarden Help Center.
• 🐛 To report a potential bug, please visit the corresponding repo. Server | Clients | iOS | Android

Thank you for contributing to Bitwarden!