Apple Watch stalls-out when a plethora of authentication requests come through

Ryan Parman
Ryan Parman
Community Member

As a software engineer, I regularly use iTerm with multiple tabs, and multiple split-screen sessions per tab. So after I reboot my computer and re-open iTerm, I suddenly get hit with 10–40 1Password prompts in quick succession as each session in each tab asks for my permission.

When wearing my Apple Watch, those auth requests end up getting routed to it. Problem is, Apple Watch can't keep up. Having one request after another, after another, after another… Apple Watch just quits trying. I end up having to click "cancel" on the macOS prompt (failing that auth), and letting the next one come in, which I can approve with the double-click on the watch button.

But they inevitably come in too fast, so I end up having to cancel several requests. Which means that I then have to go back to my terminal and refresh the sessions one-by-one.

If I take my Apple Watch off, and set it on my desk, I get a simple click-button prompt on my Mac. Yes, there are still 40 of them, but they don't stall-out. I also have Touch ID available, but 1Password appears to prefer Apple Watch over it.


1Password Version: 80800094, on BETA channel
Extension Version: N/A
OS Version: macOS 12.5 Beta (21G5027d)

Comments

  • Ryan Parman
    Ryan Parman
    Community Member

    Actually, maybe this belongs in the Apple Watch category.

  • Ryan Parman
    Ryan Parman
    Community Member

    Ping.

  • floris_1P
    edited June 2022

    The SSH category is the right place! Having many consecutive prompts is not the intended experience, this should not be happening and we're investigating the issue. We'll keep you posted here.

    To help us out, could you describe what kind of processes are running in those iTerm tabs? Is there something polling in the background by any chance?

  • Ryan Parman
    Ryan Parman
    Community Member

    It's a blend of op calls happening in ~/.profile, and maybe a ssh -T git@github.com to validate my key.

    I've had more than one experience where some piece of software ends up logging all of my environment variables to a logfile, then that logfile gets pushed out to the internet. (One of those times was when I worked at AWS before IAM existed and root credentials for the AWS account that everyone in the SDK/Console teams used ended up on the internet. Certain features of IAM, Athena, and the https://github.com/awslabs/git-secrets repo are my fault.)

    Essentially, I've been moving credentials out of plain text files and into 1Password. Presently I'm sourcing them from op into my current shell session, but I think I want to write something like AWS Vault that can fetch a token and pass it to a command running inside a sub-shell so that the credential never gets exposed to the parent-most scope of the current shell session. But that's a whole other topic.

    Right now, it's just my Apple Watch getting overwhelmed when ~/.profile gets executed many times in rapid succession, which I've narrowed down to a single op call, and a single ssh call.

  • Ah, thanks for clarifying that. Looking at your comment, I'd recommend to move the op calls that require authentication out of your shell profile. The CLI has an even stricter authorization model than SSH does, and wasn't really built to use in global shell profiles.

    A better approach I'd suggest looking into is to use op run. Instead of loading every secret into every shell, you'd load your secrets only when they're needed. This works nicely with aliases, e.g. alias terraform='op run -- terraform'. And if you then run terraform, that's the moment you'll get prompted.

This discussion has been closed.