Cross-Platform Compatibility and User Experience Feedback with 1Password CLI and AWS MFA integration

eigrad

Dear 1Password Support and Community,

I hope this message finds you well. I am writing to share some concerns regarding the integration of 1Password with AWS MFA across different operating systems.

Recently, a colleague of mine praised your integration with AWS for MFA authentication, emphasizing how smoothly it operates on his Mac OS system. As a team, we have been considering implementing MFA on AWS for some time, and his positive experience prompted us to move forward with using 1Password as our MFA solution.

Unfortunately, we have encountered some difficulties during the implementation process. It seems that the seamless integration is limited to Mac OS. Some of our team members are using Windows with WSL, while others (myself included) are operating on Linux with a tiling window manager. We have found that the user experience and performance of the 1Password CLI integration on these systems significantly lag behind that on Mac OS. Even on Mac OS, one of our engineers struggled for two hours to set up the 1Password app and CLI integration, indicating that even the supposedly optimized platform presents significant challenges.

To put it in perspective, as a long-term user of the 'pass' password manager, I found the latter to be far more efficient and consistent across different platforms when compared to the current state of the 1Password integration.

Furthermore, I would like to draw your attention to what appears to be a significant architectural design concern. The current model requires a separate GUI application to run in the background and interact with a somewhat inconsistently standardized API, which tends to malfunction under certain edge cases. This, in our opinion, is an overly complex and inefficient approach.

A more streamlined and reliable solution, in our view, would be to utilize the system's keychain in a standard way, for example by storing the encryption key for local data and the token for cloud access there. This would simplify the user experience, improve reliability, and potentially enhance the security of your application.

Another possible improvement could be the integration of hardware security keys, such as a YubiKey, as a second factor for confirming access to 1Password data. This would add an extra layer of security and could potentially reduce the reliance on the aforementioned background application, contributing to a smoother user experience.

We firmly believe these suggestions, if implemented, could greatly enhance the usability and reliability of your product across all platforms.

Please understand that this message is not intended to diminish the value of your product - we appreciate the convenience and security that 1Password brings to the table. However, we believe that there is substantial room for improvement in the cross-platform functionality of your CLI integration.

We are eager to adopt a unified MFA solution across our team, and we would prefer to use 1Password for this purpose. Therefore, we would greatly appreciate it if you could address these cross-platform compatibility issues in future updates.

We look forward to your response and any potential solutions or workarounds you may be able to suggest.

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

andi.t_1P

Hi @eigrad, and thanks for the detailed feedback! I will go over the main improvement points I could identify in your message:

Some of our team members are using Windows with WSL, while others (myself included) are operating on Linux with a tiling window manager. We have found that the user experience and performance of the 1Password CLI integration on these systems significantly lag behind that on Mac OS.

Shell plugins (including the AWS shell plugin which is the integration that offers seamless assume role and MFA authentication without your secrets ever touching the disk) are not currently supported on Windows. However, we are currently looking into solutions for supporting WSL.
Could you offer any details or examples about how the user experience or performance of the AWS CLI integration fell short on Linux?

Even on Mac OS, one of our engineers struggled for two hours to set up the 1Password app and CLI integration, indicating that even the supposedly optimized platform presents significant challenges.

We are sorry to hear that! Could you offer some examples around what made the set up process not as streamlined as you would have hoped. This is important so we know what exact steps in our set up process we can improve in the future and how to do so.

Another possible improvement could be the integration of hardware security keys, such as a YubiKey, as a second factor for confirming access to 1Password data. This would add an extra layer of security and could potentially reduce the reliance on the aforementioned background application, contributing to a smoother user experience.

What is the exact use case you are referring to here. Once we pinpoint your exact use case, it is easier to reason about a potential solution. Are you talking about:

1. Using a Yubikey as an MFA method for AWS, when using shell plugins?
2. Using the CLI on an account that requires a Yubikey?
3. Unlocking 1Password/the CLI with a Yubikey?

A more streamlined and reliable solution, in our view, would be to utilize the system's keychain in a standard way

The way shell plugins (including the AWS cli integration) were envisioned is to rely on the already existing 1Password encryption model. Therefore your secrets are meant to get stored inside 1Password (which would also help with carrying your secrets across devices). That being said, I understand the requirement to always have a desktop app on the device from which you use shell plugins could be a bit inconvenient. I have opened an internal issue about removing shell plugins' reliance on the desktop app. The CLI already has the option to work as a standalone client, without using the desktop app, but we also have to allow that for shell plugins.

We are eager to adopt a unified MFA solution across our team, and we would prefer to use 1Password for this purpose. Therefore, we would greatly appreciate it if you could address these cross-platform compatibility issues in future updates.

Thanks for your feedback, we really appreciate it and we hope shell plugins can act as your preferred AWS authentication solution.