Skip to main content
November 8, 2025
Question

Watchtower and Two-factor authentication

  • November 8, 2025
  • 3 replies
  • 132 views

My Watchtower has flagged nine "sites that have two-factor authentication but you haven't set it up yet".  However, six of these sites are set up with passkeys.  The other three sites are two-factor enabled.

Why is the Watchtower flagging the three two-factor enabled sites?   Why is the Watchtower flagging passkey sites?  Are not passkeys a two-factor method?

 

3 replies

November 12, 2025

Hi,

Watchtower reports that a login doesn't have two-factor authentication enabled when there is a saved passkey, but no one-time code.

November 14, 2025

I just tested it on 1Password 8.11.18, and Watchtower still marks logins that have passkeys saved as having no two-factor authentication enabled.

 

jmb679Author
November 17, 2025

The preferred fix appears to be to add a "2FA" tag to these login items.  Or, just "Ignore" them.

1P_Dave
1Password Employee
December 23, 2025

Hello @jmb679 and @1pass_user! 👋

Thanks for the question! Passkeys are already resistant to phishing and can be considered to have the same level of security as a password plus two-factor authentication, with a lot less friction. Two-factor authentication was designed to add an additional layer of protection to passwords against phishing.

If you have a Login item saved in 1Password that contains a passkey, and that also contains a password, then you'll see Watchtower flag that item as having 2FA available. This is because most websites still allow you to sign in either using your passkey (which is resistant to phishing) or your password (which is not). 

There are a few options here: 

 

Why is the Watchtower flagging the three two-factor enabled sites?

Is the one-time password for those websites saved in 1Password? Or are you using a different authenticator app? 

-Dave