Support TFA for 1password accounts

dcreemer / 1pass

A caching wrapper for the 1Password CLI

GNU General Public License v3.0

161 stars 28 forks source link

Support TFA for 1password accounts #17

Closed alpipego closed 5 years ago

alpipego commented 5 years ago

I have TFA enabled for my 1password account. Unfortunately, 1pass can't handle this and instead of letting me input the token, the TFA prompt instantly returns and fails.

signing in to xxx.1password.com alpipego@xxx.com
Enter your six-digit authentication code: [LOG] 2019/03/17 12:53:25 (ERROR) Incorrect One-Time Password length. Expected 6.
1pass failed to signin to xxx.1password.com

It'd be great if TFA support could be added.

dcreemer commented 5 years ago

Thanks for raising this issue. I will investigate adding this support. Can I ask -- do you use TOTP with (e.g.) Google Authenticator or Authy?

alpipego commented 5 years ago

I use it with Yubiauth.

dcreemer commented 5 years ago

I played with some solutions to this -- one more question: the op command line tool requires refreshing the session every 30 minutes. If the timeout expires, 1pass currently will re-sign-in automatically (since the needed credentials are all cached & encrypted locally).

In the case of 2FA, if the timer expires, then I assume you expect to have to re-auth with your second factor?

alpipego commented 5 years ago

In the case of 2FA, if the timer expires, then I assume you expect to have to re-auth with your second factor?

Yes, that's true. I have to re-enter my OTP every time I run op signin.

alpipego commented 5 years ago

If it helps: I don't have to do this in the 1password X browser extensions, or any other app for that matter. They only require me to input my password to unlock my vault, i.e., only on the first login to a device or after I've changed my password, 1password X requires me to input a TFA token.

dcreemer commented 5 years ago

I've created a pull request https://github.com/dcreemer/1pass/pull/20 that adds support for TOTP 2FA. Can you give it a shot? In particular, the code may be too specific to 6-digit auth codes. Please let me know.

alpipego commented 5 years ago

I had to install expect:

signing in to xxx.1password.com alpipego@xxx.com
/usr/local/bin/1pass: line 157: expect: command not found
1pass failed to signin to xxx.1password.com

Other than that, I was able to sign in fine. I'll use it throughout the day and let you know then.

dcreemer commented 5 years ago

ah thanks for the reminder on expect -- I'll update the docs in the PR,

alpipego commented 5 years ago

Looks great so far. It asks me for a six-digit authentication code after login and when I invoke it with the -r flag; so everything as expected.

dcreemer commented 5 years ago

thanks for raising this issue. I've merged the PR.

dcreemer commented 5 years ago

(resolved in #20)