Support TFA for 1password accounts

Question

Support TFA for 1password accounts

alpipego opened this issue 6 years ago · comments

I have TFA enabled for my 1password account. Unfortunately, 1pass can't handle this and instead of letting me input the token, the TFA prompt instantly returns and fails.

signing in to xxx.1password.com alpipego@xxx.com
Enter your six-digit authentication code: [LOG] 2019/03/17 12:53:25 (ERROR) Incorrect One-Time Password length. Expected 6.
1pass failed to signin to xxx.1password.com

It'd be great if TFA support could be added.

D Creemer · Answer 1 · Tue Mar 19 2019 00:07:16 GMT+0800 (China Standard Time)

Thanks for raising this issue. I will investigate adding this support. Can I ask -- do you use TOTP with (e.g.) Google Authenticator or Authy?

Alex Goller · Answer 2 · Tue Mar 19 2019 16:27:10 GMT+0800 (China Standard Time)

I use it with Yubiauth.

D Creemer · Answer 3 · Thu Apr 04 2019 08:53:38 GMT+0800 (China Standard Time)

I played with some solutions to this -- one more question: the op command line tool requires refreshing the session every 30 minutes. If the timeout expires, 1pass currently will re-sign-in automatically (since the needed credentials are all cached & encrypted locally).

In the case of 2FA, if the timer expires, then I assume you expect to have to re-auth with your second factor?

Alex Goller · Answer 4 · Thu Apr 04 2019 11:36:34 GMT+0800 (China Standard Time)

In the case of 2FA, if the timer expires, then I assume you expect to have to re-auth with your second factor?

Yes, that's true. I have to re-enter my OTP every time I run op signin.

Alex Goller · Answer 5 · Mon Apr 08 2019 11:14:46 GMT+0800 (China Standard Time)

If it helps: I don't have to do this in the 1password X browser extensions, or any other app for that matter. They only require me to input my password to unlock my vault, i.e., only on the first login to a device or after I've changed my password, 1password X requires me to input a TFA token.

D Creemer · Answer 6 · Tue Apr 09 2019 04:34:56 GMT+0800 (China Standard Time)

I've created a pull request #20 that adds support for TOTP 2FA. Can you give it a shot? In particular, the code may be too specific to 6-digit auth codes. Please let me know.

Alex Goller · Answer 7 · Tue Apr 09 2019 11:08:52 GMT+0800 (China Standard Time)

I had to install expect:

signing in to xxx.1password.com alpipego@xxx.com
/usr/local/bin/1pass: line 157: expect: command not found
1pass failed to signin to xxx.1password.com

Other than that, I was able to sign in fine. I'll use it throughout the day and let you know then.

D Creemer · Answer 8 · Tue Apr 09 2019 23:47:47 GMT+0800 (China Standard Time)

ah thanks for the reminder on expect -- I'll update the docs in the PR,

Alex Goller · Answer 9 · Thu Apr 11 2019 16:20:50 GMT+0800 (China Standard Time)

Looks great so far. It asks me for a six-digit authentication code after login and when I invoke it with the -r flag; so everything as expected.

D Creemer · Answer 10 · Sat Apr 13 2019 04:56:02 GMT+0800 (China Standard Time)

thanks for raising this issue. I've merged the PR.

D Creemer · Answer 11 · Sat Apr 13 2019 04:56:26 GMT+0800 (China Standard Time)

(resolved in #20)