Check if Biometrics are enabled on CLI 2?

jgawrych
jgawrych
Community Member
in CLI

Hello! I am writing a script that uses the 1Password CLI 2. I would like this script to only run when connected to the desktop app using biometrics, and if it was not enabled, tell the user to enable it. I didn't see any cli command that could tell me if the biometrics were enabled. Currently I'm using:

op account add --address 'invalid' --email 'invalid' 2>&1 | grep 'Biometric unlock .* enabled' &>/dev/null

Which is less than ideal, as it forces an error to see if the address add command prints something about biometrics to stderr. Is there a better way to do this, or can it be added?

Thank you!

1Password Version: 8.7.3
Extension Version: cli 2.5.1
OS Version: macOS 12.4
Browser:_ Not Provided
Referrer: forum-search:Check if Biometrics are enabled?

Comments

  • Horia.Culea_1P
    Horia.Culea_1P

    Hey @jgawrych, currently we have no specific command that would return whether the biometrics are enabled or not, in the CLI. I'm going to be opening an internal ticket tracking this.

    In the meantime, here are some workarounds that might work for you:

    • starting with 2.6.0-beta.05, the op account use command is a simpler way to select your biometric account. This will once again return an error if biometrics are not enabled. This is, maybe, more convenient than running a full op account add command.
    • Running basically any command, if not signed in, will be triggering an error, if the user is not using biometrics. If you want to enforce this, you can sign out all accounts with op signout --all before running another command, such that you'd make sure that the script would fail if biometrics are not enabled.
    • What I personally do in my own scripts making use of the CLI, in order to enforce the use of biometrics, is exporting the OP_BIOMETRIC_UNLOCK_ENABLED environment variable. When this variable is set to true, this forces the CLI to try to connect to 1Password 8. If the CLI integration is not enabled in the application, you would get a message similar to:
    connecting to desktop app: connecting to desktop app timed out, make sure it is installed, running and CLI integration is enabled

    which by itself is a way to tell the user to enable the biometrics integration.

    Let us know if any of this helps. Otherwise, we'll make sure to keep you updated with any developments related to being able to retrieve the biometrics' state from the CLI.

    Best,
    Horia

  • zcutlip
    zcutlip
    Community Member
    edited September 2022

    Hi, I came here looking for something similar. Currently in pyonepassword, I need to know if it's an error if the caller to OP() didn't provide a password.

    I'm using the following heuristic:

    • op account list --format json
    • if the dictionaries include the shorthand key, biometric is NOT enabled
    • If no shorthands are present, biometric is enabled

    This works reasonably well since op account list doesn't itself require authentication and is local only (doesn't touch 1Password in the cloud).

    No idea if that's a reliable heuristic or not. Also it clearly won't work if no accounts have had initial sign-in

    Here's the code for what I'm doing:
    https://github.com/zcutlip/pyonepassword/blob/3642c63123283b563b2edf79b2f721757ec14b04/pyonepassword/_py_op_commands.py#L168

  • andi.t_1P
    andi.t_1P

    Thanks for your solution!

This discussion has been closed.