Signing back into the Community for the first time? You'll need to reset your password to access your account.  Find out more.

Forum Discussion

Former Member's avatar
Former Member
2 years ago

Limit on PAM authentication tries?

Currently it seems like I can try to authenticate with PAM to unlock 1Password as many times as I want. I'd like to be able to have fingerprint unlock for 1Password, without allowing unlimited tries, since I don't fully trust the security of the fingerprint reader.


1Password Version: 8.10.0
Extension Version: Not Provided
OS Version: Ubuntu 22.04
Browser:_ Not Provided

  • Former Member's avatar
    Former Member

    I don't have an answer for you (as I don't have a linux system at hand to test with), but I very strongly suspect that the answer will involve pam_faillock which is a Linux Pluggable Authentication Module specifically designed to configure retry limits and retry delays for things like this.

    But I am merely foreshadowing what I expect people who know better will say.

  • AliH1P's avatar
    AliH1P
    Icon for 1Password Team rank1Password Team

    Hey @arip, I reached out to some of our developers to get clarification on this. This is typically handled by PAM - we ask PAM to authenticate and it returns a pass/fail. So ultimately, how it authenticates is up to how PAM is configured. You can find some additional details on PAM configurations here: https://linux.die.net/man/8/pam_tally

    Let me know if this helps or if you have any questions.

    Ali

  • Former Member's avatar
    Former Member

    I agree that it would be best to let PAM handle this, but setting up pam_faillock2 (pam_tally isn't available on Ubuntu 22.04) is not super straightforward, and mucking with the PAM configuration manually is scary and can result in a less secure system.

  • AliH1P's avatar
    AliH1P
    Icon for 1Password Team rank1Password Team

    Hey @arip, I apologize for my delayed response. I understand your concerns here and will pass your comment along to our developers.

    Let me know if there's anything else we can help with at this time.

    Ali