1p cli and 2FA

skunkwerks

is it possible to force the 1P cli tool to require 2FA approval periodically?

I don't need this for every single request, but when you consider that the
~/.op/config file contains the following plain-text:

{
    "latest_signin": "...",
    "device": "...",
    "accounts": [
        {
            "shorthand": "...",
            "url": "https://....1password.com",
            "email": "user@example.or",
            "accountKey": "AB-123-DEF-123-FFDSH",
            "userUUID": "...",
            "dsecret": "..."
        }
    ]
}

You can see why having enforced 2FA is a Good Thing. Anybody with access to the config file now only needs the password to gain access.

Ideally it would be possible to enforce mandatory 2FA at the session auth stage each time, and also have a way of flagging values (or perhaps an entire vault) to require 2FA approval (or touch id in a corresponding app) for each usage, like Duo 2FA does.

Justin.Yoon_1P

Hey @skunkwerks

Enforcing account-wide 2FA policies is a feature for the Business tier of accounts.

With a 1Password business account, administrators can manage 2FA by enforcing it for everyone on your team.

For more info, please check out https://support.1password.com/two-factor-authentication/#manage-two-factor-authentication-for-your-team

Please note that even with the Business tier, using Authenticator Applications will only enforce 2FA on new device logins.

Using our integration with Duo will allow the admins to manage how often they should be prompted for 2FA, and the shortest period currently is daily.