1p cli and 2FA

is it possible to force the 1P cli tool to require 2FA approval periodically?

I don't need this for every single request, but when you consider that the
~/.op/config file contains the following plain-text:

    "latest_signin": "...",
    "device": "...",
    "accounts": [
            "shorthand": "...",
            "url": "https://....1password.com",
            "email": "[email protected]",
            "accountKey": "AB-123-DEF-123-FFDSH",
            "userUUID": "...",
            "dsecret": "..."

You can see why having enforced 2FA is a Good Thing. Anybody with access to the config file now only needs the password to gain access.

Ideally it would be possible to enforce mandatory 2FA at the session auth stage each time, and also have a way of flagging values (or perhaps an entire vault) to require 2FA approval (or touch id in a corresponding app) for each usage, like Duo 2FA does.


Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file