CLI, 2F Auth, and Ansible "onepassword" module: able to sign in without providing 2FA code

jamesdh
jamesdh
Community Member

Recently setup a new Mac and installed latest 1Password CLI tools (1.6.0). When signing in the first time and providing my secret key, I was prompted for my password and 2FA code, as expected.

In an effort to update some automation tools I have, I tried using Ansible's "onepassword" module to retrieve certain sensitive facts from 1Password.

I was a little confused because the example shown for logging in only shows an argument for the secret key, and nothing for the 2F auth code. I thought perhaps it would prompt for the 2F code when run, so I setup my ansible script, gave it a go and....nope. It successfully logs in with domain, password, and secret key. No 2FA auth code required.

I thought perhaps it was using a prior logged in session, so I verified op signout, re-ran my ansible script and....it logged in just fine again and retrieved an item.

According to the ansible doc page, "onepassword wraps the op command line utility to fetch specific field values from 1Password" so I'm not sure how they are able to bypass the 2FA requirement, but they are. And if they are, then that tells me it's possible to do so via the CLI as well.

This feels like a glaring security flaw. Am I missing something obvious?


1Password Version: 7.6
Extension Version: Not Provided
OS Version: OSX 10.15.6
Sync Type: 1Password

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @jamesdh!

    I am not a CLI developer, but this behavior is consistent with every other 1Password app: 1Password will ask you for your TOTP only the first time you login from a new device. Subsequent logins won't require your TOTP code (since your data is encrypted with your Master Password and Secret Key, not with your TOTP code).

    Looking at the changelog for the CLI tool, it looks like this change was made back in version 0.6:

    When 2FA codes are enabled on your account, you will now only need to enter it on the first sign-in, not every time.

  • jamesdh
    jamesdh
    Community Member

    Ok, it appears simply op signout isn't enough, but must do op signout --forget.

  • ag_ana
    ag_ana
    1Password Alumni

    Correct @jamesdh :+1: :)

This discussion has been closed.