Cross-Platform Compatibility and User Experience Feedback with 1Password CLI and AWS MFA integration

Hi @eigrad, and thanks for the detailed feedback! I will go over the main improvement points I could identify in your message:

Some of our team members are using Windows with WSL, while others (myself included) are operating on Linux with a tiling window manager. We have found that the user experience and performance of the 1Password CLI integration on these systems significantly lag behind that on Mac OS.

Shell plugins (including the AWS shell plugin which is the integration that offers seamless assume role and MFA authentication without your secrets ever touching the disk) are not currently supported on Windows. However, we are currently looking into solutions for supporting WSL.
Could you offer any details or examples about how the user experience or performance of the AWS CLI integration fell short on Linux?

Even on Mac OS, one of our engineers struggled for two hours to set up the 1Password app and CLI integration, indicating that even the supposedly optimized platform presents significant challenges.

We are sorry to hear that! Could you offer some examples around what made the set up process not as streamlined as you would have hoped. This is important so we know what exact steps in our set up process we can improve in the future and how to do so.

Another possible improvement could be the integration of hardware security keys, such as a YubiKey, as a second factor for confirming access to 1Password data. This would add an extra layer of security and could potentially reduce the reliance on the aforementioned background application, contributing to a smoother user experience.

What is the exact use case you are referring to here. Once we pinpoint your exact use case, it is easier to reason about a potential solution. Are you talking about:

1. Using a Yubikey as an MFA method for AWS, when using shell plugins?
2. Using the CLI on an account that requires a Yubikey?
3. Unlocking 1Password/the CLI with a Yubikey?

A more streamlined and reliable solution, in our view, would be to utilize the system's keychain in a standard way

The way shell plugins (including the AWS cli integration) were envisioned is to rely on the already existing 1Password encryption model. Therefore your secrets are meant to get stored inside 1Password (which would also help with carrying your secrets across devices). That being said, I understand the requirement to always have a desktop app on the device from which you use shell plugins could be a bit inconvenient. I have opened an internal issue about removing shell plugins' reliance on the desktop app. The CLI already has the option to work as a standalone client, without using the desktop app, but we also have to allow that for shell plugins.

We are eager to adopt a unified MFA solution across our team, and we would prefer to use 1Password for this purpose. Therefore, we would greatly appreciate it if you could address these cross-platform compatibility issues in future updates.

Thanks for your feedback, we really appreciate it and we hope shell plugins can act as your preferred AWS authentication solution.