Protect what matters – even after you're gone. Make a plan for your digital legacy today.
Forum Discussion
[62] Automatic login and session management
Sorry, this might be a not so well structured feedback. I just want to share the slight annoyance I'm having with expiring sessions on my daily workflows.
As said in https://1password.community/discussion/126437/16-17-20-support-for-both-versions-in-scripts, I mostly use the CLI with direnv. (And occasionally with Ansible Vault, and some other use cases.) With my workflow with multiple tmux panes and constant directory changes, I end up more often than not with an error of invalid OP session. Then I have to sign in and trigger new op run.
It might indeed not be the best security practice to fetch the secrets only once when entering a directory, and store them in the env vars. (Although much better than having the secrets as plaintext on filesystem :wink:) But with op run the session issue would be even worse, as there is the hard limit for 30 minutes.
I have scripted an automatic sign-in for one use case, and I'm planning to implement it for https://github.com/tmatilai/direnv-1password, too. But I would like to know if you have any ideas about the best pattern here. Or maybe the CLI could offer more help with session management?
So the issues (which might not be easy to solve without reducing security):
1. Sessions are not global, but local to the shell session. This is of course a big security question as solving it would require storing the session token somewhere.
2. Session expires in 30 minutes. Could there be an option to reset the timer on every op usage? With a configurable max TTL.
3. Any help for the automatic sign-in? Maybe even an option to do it with any op command. This would block the command, so it should still be opt-in. Optimally the session token should somehow be delivered back to the caller or shell session so the next op command would also have it. Might be hard without #1, as STDIN/STDERR are reserved for the command output.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
5 Replies
- 1P_Simon
1Password Team
https://1password.community/discussion/126766/biometric-unlock-is-here. 🎉
Would love to hear your thoughts and if this solves issues 2 and 3 you mentioned above? If there's anything more we can do on top, please let us know. We're here to improve and all insights on friction points are much appreciated!
- 1P_Simon
Hi @r00t, thanks a lot for sharing your frustrations! We're looking to improve the developer experience with this new CLI version, so any friction points are good to know about so we can look into polishing those.
I'm happy to let you know that the sign-in experience has our focus right now. As https://1password.community/discussion/125399 we're soon introducing Biometric Unlock, which will enable you to authenticate your 1Password account using your fingerprint.
There's a couple more friction points around the sign-in experience that we're addressing in this release and in subsequent releases, among which many of the ones you've shared above.1) Unfortunately, there’s another security factor we have to take into account: if we would allow any terminal to use the CLI when you’re signed in, we’re basically giving any process running on your system access to your account. For this reason, we tie a session to a specific shell session and only allow this session to use 1Password.
2) Included in the Biometric Unlock feature that we're releasing soon is the "timer reset" that you describe, up to a maximum of 12 hours. We're looking into doing the same for logins with password.
3) The Biometric Unlock feature will also prompt you when using anyopcommand when you're not signed in yet. We're also looking into doing the same for logins with password. Does that cover what you're trying to achieve?Please don't hesitate to continue to share any friction points you encounter, we love to hear opportunities to improve your experience! And no worries about the structure, this is perfect.
