Extension does not notify on subdomains

[conorgil]

There are many services that switch to using a subdomain after the user logs in.

Example:

• dash.cloudflare.com vs www.cloudflare.com
• ap.www.namecheap.com vs www.namecheap.com

2FA Notifier does not correctly notify on these subdomains because they are not in our dataset. Not only does it not notify, but it actively sets the 2FA Notifier icon to the "No 2FA" state, which is misleading and often incorrect.

We could update the dataset on a case-by-base basis to handle these scenarios by entering all of the subdomains in addition to the main domains that are likely already in the dataset. However, that would require a huge amount of manual maintenance and isn't scalable. For example, think about all of the Google services that exist on sub-domains...there are a ton of them and it wouldn't be a good use of time to keep track of services as they are introduced, retired, removed, etc. Most (all?) Google services rely on the same authentication flow and therefore the same 2FA, so they will have the same notification, the same docs, etc.

We should consider a more scalable approach that minimizes manual maintenance.

Ideas:

• Automatically match on just the root domain for all entries in the data set
  • Pro: very flexible and can handle lots of scenarios
  • Con: possibility for false positives. The user might get a notification for a site that doesn't actually support 2FA if the service for some reason allows login on different subdomains and some of those subdomains support 2FA and some don't. I cannot think of an example off-hand, but perhaps a service that sets up URLs for customers like customer.someservice.com and some customers allow 2FA while others don't?
  • Con: possibility for different documentation for enabling 2FA on a subdomain compared to the main domain? Related to the previous con, but
• Manually update entries in the dataset to allow for a flag that indicates that we should match on just the root domain
  • Cons: similar to previous idea
  • Con: way more work than just doing it automatically
  • Pro: by manually setting this flag, we can first do some research to make sure that the service doesn't fall into the trap of those cons

[conorgil]

It was pointed out to me that vanguard.com has this same issue because they use many different subdomains for login depending on which type of investor you are. The domain www.vanguard.com is in the 2FA.org data set, but the other subdomains are not, so they show up as "2FA not supported".

[conorgil]

Note: if/when we update to support all subdomains, make sure to update the wording in the "I already enabled 2FA" screen. Currently, it says "You've enabled 2FA for something.exmaple.com" and if we support subdomains, then it should likely use the root domain here (example.com) instead of the full subdomain (something.example.com).