Recently setup a new Mac and installed latest 1Password CLI tools (1.6.0). When signing in the first time and providing my secret key, I was prompted for my password and 2FA code, as expected.
In an effort to update some automation tools I have, I tried using Ansible's "onepassword" module to retrieve certain sensitive facts from 1Password.
I was a little confused because the example shown for logging in only shows an argument for the secret key, and nothing for the 2F auth code. I thought perhaps it would prompt for the 2F code when run, so I setup my ansible script, gave it a go and....nope. It successfully logs in with domain, password, and secret key. No 2FA auth code required.
I thought perhaps it was using a prior logged in session, so I verified
op signout, re-ran my ansible script and....it logged in just fine again and retrieved an item.
According to the ansible doc page, "onepassword wraps the op command line utility to fetch specific field values from 1Password" so I'm not sure how they are able to bypass the 2FA requirement, but they are. And if they are, then that tells me it's possible to do so via the CLI as well.
This feels like a glaring security flaw. Am I missing something obvious?
1Password Version: 7.6
Extension Version: Not Provided
OS Version: OSX 10.15.6
Sync Type: 1Password