Security questions about biometric CLI authentication

felix_scheinost
felix_scheinost
Community Member

Hi!

First off, I think the biometric CLI authentication is awesome!
I always wished I could write scripts that I could share with my coworkers where secrets were fetched automatically.

I just tested the functionality for the first time and everything seems to work, cool!

Would it be possible to change it so that:

  • every invocation of the op command would require authentication? Currently it seems like I only need to authenticate once per process? I worry that I might authenticate the CLI initially for a legitimate access but later in the script a malicous call to the CLI happens. It seems this might not need additional authentication so the user wouldn't notice.

  • (this sort of depends on the previous point) to further reduce the attack surface, could the authentication dialog specify which e.g. items are accessed? Currently it just says the account name, and process name.

Thanks! Keep up the good work!


1Password Version: 80700002
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • Joris_1P
    edited April 2022

    Hey @felix_scheinost,

    It's really nice to hear that you like biometric unlock for the CLI.

    • every invocation of the op command would require authentication? Currently it seems like I only need to authenticate once per process? I worry that I might authenticate the CLI initially for a legitimate access but later in the script a malicous call to the CLI happens. It seems this might not need additional authentication so the user wouldn't notice.

    What you can do, is run op signout immediately after executing your command. That will revoke your authorization. So any subsequent use of the CLI will require you to grant authorization again.

    • (this sort of depends on the previous point) to further reduce the attack surface, could the authentication dialog specify which e.g. items are accessed? Currently it just says the account name, and process name.

    That's a really good suggestion. We are considering whether this is something that we can add.

    Thank you for your feedback!

    Joris

This discussion has been closed.