2FA Notifier is a web extension that notifies users whether or not the sites they visit support two factor authentication (2FA).
Home Page: https://2fanotifier.org
License: MIT License
Currently, a notification is shown once per domain per browser session. The list of which domains have already been shown is only stored in memory, so restarting the browser will lose that info and start from scratch.
We should ask users for feedback on when to show notifications and then (likely) implement a few different options that users can configure.
Current ideas:
Create an on-boarding process after the extension is installed.
@designedbinary said there were some tweaks he wanted to make to the current shield icon. I will let him fill in this description with details and/or just do it.
When user clicks the down arrow, the down arrow should disappear. The intended result is that the user cannot hide the expanded content.
Also make sure it is short enough not to trigger the scroll bars
The image is way too close to the edge of the notification. Need to check if this can be modified programmatically, or if it is better to just rework image to include the padding.
On wikipedia.org, the extension says "No 2FA here". Going to the menu, selecting About, and then going back results in the text "2FA Guide for website.com" and it says that all 2FA options are supported.
Before we blast this out on social media, I want the manifest to have permission to make requests to twofactorauth.org and 2fanotifier.org so that we have options on where to pull our data from. Adding them in now even if we don't use them will avoid the issue of asking users to allow updated permissions down the road.
Identify existing URLs that redirect to some other domain. The data includes both a service name and a service URL. The URL should be the fully resolved domain where possible so that tools like 2FAN can take action on it. The service name (not the URL) can be displayed in the UI if necessary, so the fact that the URL might point somewhere "weird" looking isn't really a problem if that is the true destination of the redirects.
Relates to #42
Need to wait for gulp integration and ability to use/compile sass
docs.google.comtwofactorauth.orgManual testing (yea, I know) concludes that 2FAN works as expected on FF too! Woo!
Now, need to get it published to the FF store and listed on the 2fanotifier.org website so that people can install it and start enabling 2FA everywhere!
We do not have a 2FAN icon yet, so we might be able to get away with the green shield icon for now. Most important thing is to get an icon in the Chrome Web Store listing so that 2FAN looks more legit.
The button "Enable 2FA" should link to the exact service's docs. Also, the name on the button should reflect the appropriate domain.
Once the user either clicks the notification to go to the documentation OR clicks the "close" button, then stop showing the notification for that domain.
Currently, the JSON file is hardcoded. Pull down the live version from twofactorauth.org/data.json
Fix the text encoding on the feedback page:
Do you find this extension helpful? Annoying? Is there something you’d like to see changed or added?
We’d love to hear from you! Drop us a line at [email protected]
and the About page:
If you are interested in jumping into the code for 2FAN, we’ve open sourced everything on our Github repo here.
We have ignored automated testing so far because < insert unconvincing reason here >. Testing is critical because < insert a bajillion reasons here > and we should do better.
Currently, we have two plain text bullet points recommending:
- Create a unique password
- Use a password manager
These are both sound pieces of advice, but are not actionable by the average user. We should recommend more specific steps to take, such as recommending a specific password manager(s), linking to resources on what makes a good password, not to reuse passwords between accounts, etc.
Users do not know what to do with the information presented in the 2FA methods section.
Help them make a decision about what they are looking at.
Make a "security" scale
That's all.
When I click the button on github.com, it shows the "no 2FA" page even though github does support 2FA and it should show the "woo! 2FA" page. Figure out what's up.
Create assets for those promotional images
Most users do not know what each 2fa method does. Should link to 2FA documentation that shows this information and helps them to make a decision.
Currently, 2FAN only reports "Yes, 2FA supported" or "No, 2FA not supported". We should introduce a third state "We are not sure. You should check" so that we don't tell people that a site does NOT support 2FA when it actually might. If the site is not included in our dataset, then we currently report that as "no 2fa", but that is misleading.
What should the UX be for the third case where the site is not present in our dataset, so we are unsure whether or not it supports 2FA?
Be sure to support
Icon is slightly blurry. Need to pixel fit to get a better result.
Update the browser action popup menu to include some kind of links to allow people to easily post on social media. This will have the same goals as twofactorauth.org and will also help publicize 2FAN
Update 2fanotifier.org to include an install button/link/whatever.
We will need to enlist the help of the community to accomplish this.
Things to do to facilitate this larger effort:
We are not handling the scenario where there is no doc field for a given site. The link has href="#", but also target="_blank", so it opens a new page and shows the same page as the popup menu. Clearly, this looks horribly broken.
How should we handle this scenario?
Ideas:
exception text from the twofactorauth.org if it is presentI get this situation reliably by:
Choosing the repair option does seem to work, but the flow is repeatable after the repair.
Extension version 0.2.1
Chrome version 66.0.3359.139
In the expanded dropdown, the user can click on the down arrow. When clicked, it reveals a list of 2FA methods the the domain supports.
This should be updated to show the correct 2FA methods supported.
I like the idea of having an icon in my Chrome extensions, but think the desktop notifications should be optional.
I do recognize that it's "smart", and only shows on the first load of a new site, but would like to disable it for all sites moving forward.
Need to update to display the current site name instead of the hardcoded value "website.com"
Fixing up the messaging so it is more clear that we bring the user to the documentation that explains how to enable 2FA and that we don't actually enable 2FA. Through user testing, we saw that people were confused what clicking the "Enable 2FA" button would do and asked "Will this enable 2FA if I click this button?".
Button should say something more along the lines of "How to enable 2FA" or "learn more"
Add Typi library to have better typographic control.
I love the extension and read through the code. I noticed that you could probably go without jQuery to save resources.
http://youmightnotneedjquery.com/ is a great guide.
Need a supported and not supported icon
Need initial onboarding.
Onboarding should minimally convey:
Currently, a notification is shown any time a page loads in a tab. This is means that a notification will show if I open a bunch of new tabs and they load in the background.
Change it so that a notification is only shown for the domain in the current tab.
We discovered through user testing that the data from twofactorauth.org needs lots of TLC for it to be actionable for users of 2FAN. This issue is to document some of those current issues and brainstorm ways to manually or automatically clean up the data. Where possible, improvements should be shared upstream with twofactorauth.org
linkedin.com to www.linkedin.comdoc entry that is actually a local path. This points to a page on twofactorauth.org, but the doc field should be a FQDN. Fix these entries.The link to the Chrome store has some extraneous query params on the end which should be removed so that people can actually install the thing...oops
In hindsight, putting the website into the same repo as the extension causes some conflicts among the CHANGELOG.md file, the versioning, etc. It might make more sense to have them in separate repos since they will not be revving at the same pace, etc.
Think about automated ways of identifying URLs that break. For example, sites that don't responsibly redirect links and they end up 404'ing
Relates to #42
@conorgil @designedbinary you should get rid of the blue outline:
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.