Thank you for the suggestion! Can you clarify if you're looking to use DUO as a second factor for your 1Password account or if you'd like to store HOTP-based one-time passwords for other services in 1Password?
Hi @Dave_1P,
Thank you for your interest. Answering your question, this is more likely the second, namely, I would like to see support for HOTP - Hash -based One-Time Password in 1Password to pass Cisco Duo Passcodes.
To say the truth, I already got out. I'm using Duo HOTP Python3 lib for that. In part, I also refer to the article by Shreyas Minocha
So by the help 1Password CLI i get password for VPN client and HOTP duo passcode with duo-hotp lib.
!/usr/bin/env bash
get_pw () {
/usr/local/bin/op read op://Private/'id'/password
}
get_pw_keychain () {
security 2>&1 >/dev/null find-generic-password -ga domain-tld-vpn \
|ruby -e 'print $1 if STDIN.gets =~ /^password: "(.*)"$/'
}
get_passcode () {
/usr/bin/python3 ~/duo.py next -s ~/.duo-hotp
}
ADDR=domain-tld-vpn
USER=username
PASSWORD=$(get_pw)
if [[ ! -z "$PASSWORD" ]] && [[ "{$(/opt/cisco/anyconnect/bin/vpn status)[0]}" == *"Disconnected"* ]]; then
killall -kill "Cisco AnyConnect Secure Mobility Client" >/dev/null 2>&1
PASSCODE=$(get_passcode)
if [[ -z "$PASSCODE" ]]; then
echo "Error getting DUO HOTP Passcode!"
exit 1
fi
/usr/bin/expect -f - <<EOD
set timeout 10
spawn /opt/cisco/anyconnect/bin/vpn connect $ADDR
send -- "5\r"
expect "\r\nUsername:*" {send -- "$USER\r"}
expect "Passcode: " {send -- "$PASSWORD,$PASSCODE\r"}
expect "Connected"
EOD
else
echo "Seems to be already connected or no credentials were provided!"
/opt/cisco/anyconnect/bin/vpn state
/opt/cisco/anyconnect/bin/vpn stats
fi
Comments
a vote for HOTP (Duo Mobile 2FA) support
Team Member
Hello @vady! 👋
Thank you for the suggestion! Can you clarify if you're looking to use DUO as a second factor for your 1Password account or if you'd like to store HOTP-based one-time passwords for other services in 1Password?
I look forward to hearing from you.
-Dave
Hi @Dave_1P,
Thank you for your interest. Answering your question, this is more likely the second, namely, I would like to see support for HOTP - Hash -based One-Time Password in 1Password to pass Cisco Duo Passcodes.
To say the truth, I already got out. I'm using Duo HOTP Python3 lib for that. In part, I also refer to the article by Shreyas Minocha
So by the help 1Password CLI i get password for VPN client and HOTP duo passcode with duo-hotp lib.
!/usr/bin/env bash get_pw () { /usr/local/bin/op read op://Private/'id'/password } get_pw_keychain () { security 2>&1 >/dev/null find-generic-password -ga domain-tld-vpn \ |ruby -e 'print $1 if STDIN.gets =~ /^password: "(.*)"$/' } get_passcode () { /usr/bin/python3 ~/duo.py next -s ~/.duo-hotp } ADDR=domain-tld-vpn USER=username PASSWORD=$(get_pw) if [[ ! -z "$PASSWORD" ]] && [[ "{$(/opt/cisco/anyconnect/bin/vpn status)[0]}" == *"Disconnected"* ]]; then killall -kill "Cisco AnyConnect Secure Mobility Client" >/dev/null 2>&1 PASSCODE=$(get_passcode) if [[ -z "$PASSCODE" ]]; then echo "Error getting DUO HOTP Passcode!" exit 1 fi /usr/bin/expect -f - <<EOD set timeout 10 spawn /opt/cisco/anyconnect/bin/vpn connect $ADDR send -- "5\r" expect "\r\nUsername:*" {send -- "$USER\r"} expect "Passcode: " {send -- "$PASSWORD,$PASSCODE\r"} expect "Connected" EOD else echo "Seems to be already connected or no credentials were provided!" /opt/cisco/anyconnect/bin/vpn state /opt/cisco/anyconnect/bin/vpn stats fiBtw, HOTP implemented by Google Authenticator.
Interesting read!
Does anyone know about something similar for Ping Identity?
https://www.pingidentity.com/en/platform/capabilities/multi-factor-authentication/pingid.html
(I’d love to use 1Password instead of their ugly App…)