CLI always requires authentication code

razorsedge · October 2018

I am using the op CLI and I also have two-factor authentication enabled. Every time I authenticate to op, it asks for the authentication code. This gets annoying quickly and does not help in my quest to automate CLI signin.

$ op signin YYY
Enter the password for XXX at YYY.1password.com:
Enter your six-digit authentication code:

Is there a way to convince op that it is running on the same host similar to the way the 1password application and browser extensions do?

$ op --version
0.5.4

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: OSX 10.13.6
Sync Type: Not Provided

cohix · October 2018

@razorsedge unfortunately the CLI has something of an "incomplete" implementation of 2FA, only in that it does not persist the 2FA secret after the first authentication. All the other apps persist this secret, allowing them to do 2FA "silently" in the background, but that has not yet been implemented on the CLI. It's something we look to do in the future, but I can't give a timeline on when it will be available.

woakas · February 2019

Hi, any update about this feature?

cohix · February 2019

@woakas Yes, this is something I've written the code for, but it has been put on hold due to some other more pressing matters. Rest assured it will come :)

woakas · February 2019

Haha, I know, let me know when you can release this feature, thanks.

cohix · February 2019

@woakas Keep an eye on this forum :)

Moritz_ · May 2019

I had blinked once or twice since but haven't noticed any news on this yet. ;-)

mickael · May 2019

@Moritz_ I agree this is annoying.

I have written some little shell scripts to access the 2FA more quickly, they are designed for MacOs but could be easily ported to any system I guess. I have assigned them on a button of my MBP TouchBar but you can use them with a shortcut or what you want:

$HOME/bin/totp2.py $(gpg --quiet --decrypt encrypted_file_with_2FA_key ) | pbcopy

If you are confident of keeping your 2FA key decrypted and/or don't want to bother with gpg, you can simply:

$HOME/bin/totp2.py PUT_YOU_2FA_KEY_HERE | pbcopy

and the totp2.py is as simple as

#!/usr/local/bin/python3
import pyotp
import sys

totp = pyotp.TOTP(sys.argv[1])
print(totp.now())

Be sure to have installed the pyotp library globally with something like PIP_REQUIRE_VIRTUALENV="" pip install pyotp

rickfillion · May 2019

Hah. That's a pretty awesome workaround, mikael.

This is an issue that we still want to see fixed on our side. Hopefully soon we start rolling out CLI releases again.

Rick

mickael · May 2019

If a moderator can delete this message and edit my previous message and remove "especially due to the fact that the sessions are closed every 30 minutes when using multiple accounts." as this is not true ;) thx

graham_1P · May 2019

Edited per your request Mickael.

Moritz_ · May 2019

This is an issue that we still want to see fixed on our side. Hopefully soon we start rolling out CLI releases again.

Yeah I get that the CLI is the most niche 1P product in terms of install base by customers. Though for folks like me who work primarily on Linux based systems + on a Shell most of the times this really would be something nice to get fixed.
So I do understand it can take some time but I just wanted to make sure that there is some visibility on it.
Have a good week y'all.

AGAlumB · May 2019

Totally. Thanks for your feedback! While our current focus is getting the CLI app out of beta, there are still a lot of features and enhancements we're anxious to add in future updates. :)

lrosenman · July 2019

I'm interested in this as well (0.5.7 still prompts every signin).

cohix · July 2019

The CLI is going to be more of a focus for my team fairly soon, so keep your eyes out :)

CLI always requires authentication code

Comments