1p cli and 2FA

Question

is it possible to force the 1P cli tool to require 2FA approval periodically?

I don't need this for every single request, but when you consider that the
~/.op/config file contains the following plain-text:

{
    "latest_signin": "...",
    "device": "...",
    "accounts": [
        {
            "shorthand": "...",
            "url": "https://....1password.com",
            "email": "user@example.or",
            "accountKey": "AB-123-DEF-123-FFDSH",
            "userUUID": "...",
            "dsecret": "..."
        }
    ]
}

You can see why having enforced 2FA is a Good Thing. Anybody with access to the config file now only needs the password to gain access.

Ideally it would be possible to enforce mandatory 2FA at the session auth stage each time, and also have a way of flagging values (or perhaps an entire vault) to require 2FA approval (or touch id in a corresponding app) for each usage, like Duo 2FA does.

Answer

Hey @skunkwerks

Enforcing account-wide 2FA policies is a feature for the Business tier of accounts.

With a 1Password business account, administrators can manage 2FA by enforcing it for everyone on your team.

For more info, please check out https://support.1password.com/two-factor-authentication/#manage-two-factor-authentication-for-your-team

Please note that even with the Business tier, using Authenticator Applications will only enforce 2FA on new device logins.

Using our integration with https://duo.com will allow the admins to manage how often they should be prompted for 2FA, and the shortest period currently is daily.

Forum Discussion

1p cli and 2FA

1 Reply

Featured discussions

September at 1Password: Browser versions, enhanced security, and new integrations

Recent discussions

1Password Chrome extension is incorrectly manipulating <code> blocks

SSH Bookmarks - broken on macOS

Unofficial 1Password SDK for Rust

🔊 Securing Cursor agentic development with 1Password Environments

ssh agent and ansible 12 prompting incessantly