Security questions about biometric CLI authentication

Anonymous

4 years ago

Hey @felix_scheinost,

It's really nice to hear that you like biometric unlock for the CLI.

every invocation of the op command would require authentication? Currently it seems like I only need to authenticate once per process? I worry that I might authenticate the CLI initially for a legitimate access but later in the script a malicous call to the CLI happens. It seems this might not need additional authentication so the user wouldn't notice.

What you can do, is run op signout immediately after executing your command. That will revoke your authorization. So any subsequent use of the CLI will require you to grant authorization again.

(this sort of depends on the previous point) to further reduce the attack surface, could the authentication dialog specify which e.g. items are accessed? Currently it just says the account name, and process name.

That's a really good suggestion. We are considering whether this is something that we can add.

Thank you for your feedback!

Joris

Forum Discussion

Security questions about biometric CLI authentication

Featured discussions

September at 1Password: Browser versions, enhanced security, and new integrations

Recent discussions

Unofficial 1Password SDK for Rust

🔊 Securing Cursor agentic development with 1Password Environments

ssh agent and ansible 12 prompting incessantly

1Password Chrome extension is incorrectly manipulating <code> blocks

Custom aliases and OpenSSH fields for SSH Bookmarks