-
-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
2fa.directory API #62
Comments
Sorry, just found the option to disable. |
Actually I'm loading not the website but a vey specific json file (https://2fa.directory/api/v2/tfa.json) and I'm sure that this will not load any other code from any additional website. Nevertheless I might think about looking for alternatives. Where are they listed as malicious? |
Hi @Rookiestyle. The URL 2fa.directory was marked as "suspicous" by several security vendors over the time (see https://www.virustotal.com/gui/domain/www.2fa.directory). I also know of Checkpoint Products, which block the site even today. I would kindly ask you to disable the feature by default, as it is likely to rise alarms in corporate environments. Also the concept of an password manager plugin connecting to internet without prior user consent is likely cause mistrust - even when done with good intentions. |
Thanks for the hint.
I don't get this point. If you download and run the portable version on your company's device, from my point of view alerts are justified - not so much because of 2fa.directory but simply because it's programs accessing the internet which were not installed by your IT department.
Point taken. I updated the readme to make this clear and the next release will explicitly ask whether this feature shall be used. |
While this holds true in a perfect world, I know many companies/customers that need to deal with a less than perfect reality. Convincing them them to stop storing passwords in excel is much more difficult, when the password manager causes alerts in their brand new antivirus 🤪 |
Hi,
I figured out you are using 2fa.dirctory api for checking if 2fa is available.
Unfortunately they are listed as malicious and also they load content from to tdsjsext1.life which also is malicious.
Can you remove or change this API? Or give User an option do disable this API?
Best Regards,
Tim
The text was updated successfully, but these errors were encountered: